BUG: sleeping function called from invalid context in do_user_addr

BUG: sleeping function called from invalid context in do_user_addr_fault
Status: closed as dup on 2020/09/02 22:06
Reported-by: syzbot+7748c5375dc20dfdb92f@syzkaller.appspotmail.com
First crash: 464d, last: 380d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit 033724d6864245a11f8e04c066002e6ad22b3fd0
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed Jul 15 01:51:02 2020 +0000

fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.

Duplicate of (1):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported
general protection fault in syscall_return_slowpath	syz	inconclusive	done	1	478d	565d

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	BUG: sleeping function called from invalid context in do_user_addr_fault (2)	syz	done	unreliable	15	55d	273d	0/22	upstream: reported syz repro on 2020/12/25 13:45

Sample crash report:

BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1253
in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 6824, name: syz-executor.2
1 lock held by syz-executor.2/6824:
 #0: ffff88809abb82a8 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:56 [inline]
 #0: ffff88809abb82a8 (&mm->mmap_lock#2){++++}-{3:3}, at: do_user_addr_fault+0x344/0xba0 arch/x86/mm/fault.c:1236
irq event stamp: 190300
hardirqs last  enabled at (190299): [<ffffffff881efdef>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last  enabled at (190299): [<ffffffff881efdef>] _raw_spin_unlock_irqrestore+0x6f/0xd0 kernel/locking/spinlock.c:191
hardirqs last disabled at (190300): [<ffffffff810075c2>] __syscall_return_slowpath+0x52/0x180 arch/x86/entry/common.c:328
softirqs last  enabled at (187494): [<ffffffff88200f0f>] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711
softirqs last disabled at (187473): [<ffffffff88200f0f>] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711
CPU: 0 PID: 6824 Comm: syz-executor.2 Not tainted 5.8.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 ___might_sleep+0x3c0/0x570 kernel/sched/core.c:6899
 do_user_addr_fault+0x377/0xba0 arch/x86/mm/fault.c:1253
 handle_page_fault arch/x86/mm/fault.c:1365 [inline]
 exc_page_fault+0x124/0x1f0 arch/x86/mm/fault.c:1418
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:565
RIP: 0010:__prepare_exit_to_usermode+0x52/0x1e0 arch/x86/entry/common.c:240
Code: 24 50 15 00 00 0f 85 8f 01 00 00 f0 41 80 64 24 03 7f 83 3d 9f e9 6c 08 00 74 23 41 83 bc 24 cc 08 00 00 00 75 18 41 83 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001607f10 EFLAGS: 00010006
RAX: 0000000000000000 RBX: 000000000000003d RCX: ffff888095318300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90001607f58
RBP: 0000000000000000 R08: ffffffff817a2250 R09: ffffed10128c82ed
R10: ffffed10128c82ed R11: 0000000000000000 R12: ffff888095318300
R13: 0000000000000000 R14: ffffc90001607f58 R15: ffffc90001607f58
 do_syscall_64+0x7f/0xe0 arch/x86/entry/common.c:368
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4169ca
Code: Bad RIP value.
RSP: 002b:00007fff61070cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: 0000000000000000 RBX: 000000000000e1d1 RCX: 00000000004169ca
RDX: 0000000040000001 RSI: 00007fff61070d10 RDI: ffffffffffffffff
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000001cf2940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008
R13: 00007fff61070d10 R14: 000000000000de93 R15: 00007fff61070d20
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD a7cf1067 P4D a7cf1067 PUD a0728067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6824 Comm: syz-executor.2 Tainted: G        W         5.8.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__prepare_exit_to_usermode+0x52/0x1e0 arch/x86/entry/common.c:240
Code: 24 50 15 00 00 0f 85 8f 01 00 00 f0 41 80 64 24 03 7f 83 3d 9f e9 6c 08 00 74 23 41 83 bc 24 cc 08 00 00 00 75 18 41 83 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001607f10 EFLAGS: 00010006
RAX: 0000000000000000 RBX: 000000000000003d RCX: ffff888095318300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90001607f58
RBP: 0000000000000000 R08: ffffffff817a2250 R09: ffffed10128c82ed
R10: ffffed10128c82ed R11: 0000000000000000 R12: ffff888095318300
R13: 0000000000000000 R14: ffffc90001607f58 R15: ffffc90001607f58
FS:  0000000001cf2940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a380c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_syscall_64+0x7f/0xe0 arch/x86/entry/common.c:368
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4169ca
Code: Bad RIP value.
RSP: 002b:00007fff61070cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: 0000000000000000 RBX: 000000000000e1d1 RCX: 00000000004169ca
RDX: 0000000040000001 RSI: 00007fff61070d10 RDI: ffffffffffffffff
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000001cf2940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008
R13: 00007fff61070d10 R14: 000000000000de93 R15: 00007fff61070d20
Modules linked in:
CR2: 0000000000000000
---[ end trace bee8a2ac971d1076 ]---
RIP: 0010:__prepare_exit_to_usermode+0x52/0x1e0 arch/x86/entry/common.c:240
Code: 24 50 15 00 00 0f 85 8f 01 00 00 f0 41 80 64 24 03 7f 83 3d 9f e9 6c 08 00 74 23 41 83 bc 24 cc 08 00 00 00 75 18 41 83 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffffc90001607f10 EFLAGS: 00010006
RAX: 0000000000000000 RBX: 000000000000003d RCX: ffff888095318300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90001607f58
RBP: 0000000000000000 R08: ffffffff817a2250 R09: ffffed10128c82ed
R10: ffffed10128c82ed R11: 0000000000000000 R12: ffff888095318300
R13: 0000000000000000 R14: ffffc90001607f58 R15: ffffc90001607f58
FS:  0000000001cf2940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a380c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (10):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-upstream-kasan-gce-smack-root	2020/07/07 20:15	upstream	7cc2a8ea1048	51095195	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2020/08/03 00:55	upstream	ac3a0c847296	63a73341	.config	log	report
ci-upstream-kasan-gce-root	2020/07/26 22:40	upstream	04300d66f0a0	51265195	.config	log	report
ci-upstream-kasan-gce-root	2020/07/18 02:20	upstream	8882572675c1	9c812472	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/08 17:00	upstream	7cc2a8ea1048	51095195	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/08 11:31	upstream	7cc2a8ea1048	51095195	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/07/06 13:43	upstream	7cc2a8ea1048	51095195	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/06/17 17:17	upstream	7ae77150d94d	b9f3810b	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/06/17 10:04	upstream	7ae77150d94d	b9f3810b	.config	log	report
ci-upstream-kasan-gce-386	2020/09/08 17:28	upstream	f4d51dffc6c0	abf9ba4f	.config	log	report