R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 ttyprintk ttyprintk: tty_port_close_start: tty->count = 1 port count = 2 ====================================================== WARNING: possible circular locking dependency detected 4.14.163-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/16517 is trying to acquire lock: (console_owner){-.-.}, at: [] console_trylock_spinning kernel/printk/printk.c:1658 [inline] (console_owner){-.-.}, at: [] vprintk_emit kernel/printk/printk.c:1922 [inline] (console_owner){-.-.}, at: [] vprintk_emit+0x2f1/0x600 kernel/printk/printk.c:1888 but task is already holding lock: (&(&port->lock)->rlock){-.-.}, at: [] tty_port_close_start.part.0+0x2b/0x4e0 drivers/tty/tty_port.c:572 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&(&port->lock)->rlock){-.-.}: lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160 tty_port_tty_get+0x22/0x90 drivers/tty/tty_port.c:287 tty_port_default_wakeup+0x16/0x40 drivers/tty/tty_port.c:46 tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:389 uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:116 serial8250_tx_chars+0x40d/0xa10 drivers/tty/serial/8250/8250_port.c:1810 serial8250_handle_irq.part.0+0x206/0x250 drivers/tty/serial/8250/8250_port.c:1883 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1869 [inline] serial8250_default_handle_irq+0xa1/0x120 drivers/tty/serial/8250/8250_port.c:1899 serial8250_interrupt+0xe9/0x1a0 drivers/tty/serial/8250/8250_core.c:129 __handle_irq_event_percpu+0x125/0x7f0 kernel/irq/handle.c:147 handle_irq_event_percpu+0x65/0x130 kernel/irq/handle.c:187 handle_irq_event+0xa7/0x134 kernel/irq/handle.c:204 handle_edge_irq+0x22b/0x840 kernel/irq/chip.c:770 generic_handle_irq_desc include/linux/irqdesc.h:159 [inline] handle_irq+0x39/0x50 arch/x86/kernel/irq_64.c:87 do_IRQ+0x99/0x1d0 arch/x86/kernel/irq.c:230 ret_from_intr+0x0/0x1e arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irqrestore+0x95/0xe0 kernel/locking/spinlock.c:192 spin_unlock_irqrestore include/linux/spinlock.h:372 [inline] uart_write+0x29a/0x4f0 drivers/tty/serial/serial_core.c:625 process_output_block drivers/tty/n_tty.c:595 [inline] n_tty_write+0x38b/0xf20 drivers/tty/n_tty.c:2333 do_tty_write drivers/tty/tty_io.c:959 [inline] tty_write+0x3f6/0x700 drivers/tty/tty_io.c:1043 redirected_tty_write+0xa3/0xb0 drivers/tty/tty_io.c:1064 __vfs_write+0x105/0x6b0 fs/read_write.c:480 vfs_write+0x198/0x500 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xfd/0x230 fs/read_write.c:582 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&port_lock_key){-.-.}: lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160 serial8250_console_write+0x709/0x930 drivers/tty/serial/8250/8250_port.c:3232 univ8250_console_write+0x5f/0x70 drivers/tty/serial/8250/8250_core.c:597 call_console_drivers kernel/printk/printk.c:1725 [inline] console_unlock+0x9ba/0xed0 kernel/printk/printk.c:2397 vprintk_emit kernel/printk/printk.c:1923 [inline] vprintk_emit+0x1f9/0x600 kernel/printk/printk.c:1888 vprintk_default+0x28/0x30 kernel/printk/printk.c:1963 vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401 printk+0x9e/0xbc kernel/printk/printk.c:1996 register_console+0x614/0x9e0 kernel/printk/printk.c:2716 univ8250_console_init+0x33/0x3f drivers/tty/serial/8250/8250_core.c:692 console_init+0x4d/0x5d kernel/printk/printk.c:2797 start_kernel+0x43c/0x6fd init/main.c:634 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:399 x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:380 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240 -> #0 (console_owner){-.-.}: check_prev_add kernel/locking/lockdep.c:1901 [inline] check_prevs_add kernel/locking/lockdep.c:2018 [inline] validate_chain kernel/locking/lockdep.c:2460 [inline] __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 console_trylock_spinning kernel/printk/printk.c:1679 [inline] vprintk_emit kernel/printk/printk.c:1922 [inline] vprintk_emit+0x32e/0x600 kernel/printk/printk.c:1888 vprintk_default+0x28/0x30 kernel/printk/printk.c:1963 vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401 printk+0x9e/0xbc kernel/printk/printk.c:1996 tty_port_close_start.part.0+0x491/0x4e0 drivers/tty/tty_port.c:574 tty_port_close_start drivers/tty/tty_port.c:646 [inline] tty_port_close+0x41/0xc0 drivers/tty/tty_port.c:639 tpk_close+0x7a/0x8c drivers/char/ttyprintk.c:109 tty_release+0x373/0xd60 drivers/tty/tty_io.c:1670 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: console_owner --> &port_lock_key --> &(&port->lock)->rlock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&port->lock)->rlock); lock(&port_lock_key); lock(&(&port->lock)->rlock); lock(console_owner); *** DEADLOCK *** 2 locks held by syz-executor.2/16517: #0: (&tty->legacy_mutex){+.+.}, at: [] tty_lock+0x68/0x80 drivers/tty/tty_mutex.c:19 #1: (&(&port->lock)->rlock){-.-.}, at: [] tty_port_close_start.part.0+0x2b/0x4e0 drivers/tty/tty_port.c:572 stack backtrace: CPU: 1 PID: 16517 Comm: syz-executor.2 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1901 [inline] check_prevs_add kernel/locking/lockdep.c:2018 [inline] validate_chain kernel/locking/lockdep.c:2460 [inline] __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 console_trylock_spinning kernel/printk/printk.c:1679 [inline] vprintk_emit kernel/printk/printk.c:1922 [inline] vprintk_emit+0x32e/0x600 kernel/printk/printk.c:1888 vprintk_default+0x28/0x30 kernel/printk/printk.c:1963 vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401 printk+0x9e/0xbc kernel/printk/printk.c:1996 tty_port_close_start.part.0+0x491/0x4e0 drivers/tty/tty_port.c:574 tty_port_close_start drivers/tty/tty_port.c:646 [inline] tty_port_close+0x41/0xc0 drivers/tty/tty_port.c:639 tpk_close+0x7a/0x8c drivers/char/ttyprintk.c:109 tty_release+0x373/0xd60 drivers/tty/tty_io.c:1670 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x414ae1 RSP: 002b:00007ffc53b1e8f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000414ae1 RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000762068 R09: ffffffffffffffff R10: 00007ffc53b1e9c0 R11: 0000000000000293 R12: 000000000075bf20 R13: 0000000000000003 R14: 0000000000762070 R15: 000000000075bf2c netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 9pnet_virtio: no channels available for device 127.0.0.1 CPU: 1 PID: 16565 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 should_failslab+0xdb/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc+0x2d7/0x780 mm/slab.c:3550 __fscache_acquire_cookie+0xe1/0x430 fs/fscache/cookie.c:89 fscache_acquire_cookie include/linux/fscache.h:339 [inline] v9fs_cache_session_get_cookie+0xa0/0x1d0 fs/9p/cache.c:91 v9fs_session_init+0xce5/0x1620 fs/9p/v9fs.c:486 v9fs_mount+0x7d/0x870 fs/9p/vfs_super.c:135 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 9pnet_virtio: no channels available for device 127.0.0.1 net_ratelimit: 4 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 9pnet_virtio: no channels available for device 127.0.0.1 CPU: 0 PID: 16597 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 should_failslab+0xdb/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc_trace+0x2e9/0x790 mm/slab.c:3616 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] alloc_super fs/super.c:197 [inline] sget_userns+0xfe/0xc30 fs/super.c:516 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. CPU: 1 PID: 16631 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 9pnet_virtio: no channels available for device 127.0.0.1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 should_failslab+0xdb/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc_trace+0x2e9/0x790 mm/slab.c:3616 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] superblock_alloc_security security/selinux/hooks.c:390 [inline] selinux_sb_alloc_security+0x46/0x220 security/selinux/hooks.c:2655 security_sb_alloc+0x6d/0xa0 security/security.c:358 alloc_super fs/super.c:207 [inline] sget_userns+0x196/0xc30 fs/super.c:516 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 CPU: 0 PID: 16654 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 protocol 88fb is buggy, dev hsr_slave_0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 protocol 88fb is buggy, dev hsr_slave_1 should_failslab+0xdb/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x2f0/0x7a0 mm/slab.c:3729 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:661 [inline] __list_lru_init+0x6b/0x660 mm/list_lru.c:539 alloc_super fs/super.c:231 [inline] sget_userns+0x500/0xc30 fs/super.c:516 9pnet_virtio: no channels available for device 127.0.0.1 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 9pnet_virtio: no channels available for device 127.0.0.1 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 9pnet_virtio: no channels available for device 127.0.0.1 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 kvm [16670]: vcpu0, guest rIP: 0x145 Hyper-V unhandled rdmsr: 0x40000017 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 16705 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2891 [inline] prepare_alloc_pages mm/page_alloc.c:4124 [inline] __alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172 __alloc_pages include/linux/gfp.h:484 [inline] __alloc_pages_node include/linux/gfp.h:497 [inline] kmem_getpages mm/slab.c:1419 [inline] cache_grow_begin+0x80/0x400 mm/slab.c:2676 cache_alloc_refill mm/slab.c:3043 [inline] ____cache_alloc mm/slab.c:3125 [inline] ____cache_alloc mm/slab.c:3108 [inline] __do_cache_alloc mm/slab.c:3347 [inline] slab_alloc mm/slab.c:3382 [inline] kmem_cache_alloc_trace+0x6b2/0x790 mm/slab.c:3616 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] alloc_super fs/super.c:197 [inline] sget_userns+0xfe/0xc30 fs/super.c:516 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 CPU: 0 PID: 16723 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10f/0x159 lib/fault-inject.c:149 should_failslab+0xdb/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x2f0/0x7a0 mm/slab.c:3729 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:661 [inline] register_shrinker+0xbd/0x220 mm/vmscan.c:284 sget_userns+0x9bf/0xc30 fs/super.c:535 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 9pnet: Found fid 0 not clunked ================================================================== BUG: KASAN: use-after-free in p9_client_clunk+0x131/0x150 net/9p/client.c:1505 Read of size 8 at addr ffff88807a711780 by task syz-executor.1/16723 CPU: 0 PID: 16723 Comm: syz-executor.1 Not tainted 4.14.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 9pnet_virtio: no channels available for device 127.0.0.1 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 p9_client_clunk+0x131/0x150 net/9p/client.c:1505 v9fs_mount+0x6b9/0x870 fs/9p/vfs_super.c:200 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 9pnet_virtio: no channels available for device 127.0.0.1 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45af49 RSP: 002b:00007f31ddf6cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f31ddf6cc90 RCX: 000000000045af49 RDX: 0000000020000900 RSI: 0000000020000180 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000020000680 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31ddf6d6d4 R13: 00000000004c84ee R14: 00000000004e0740 R15: 0000000000000007 Allocated by task 16723: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 9pnet_virtio: no channels available for device 127.0.0.1 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618 kmalloc include/linux/slab.h:488 [inline] p9_fid_create+0x4e/0x3b0 net/9p/client.c:918 p9_client_attach+0x7f/0x6a0 net/9p/client.c:1158 v9fs_session_init+0xc56/0x1620 fs/9p/v9fs.c:471 v9fs_mount+0x7d/0x870 fs/9p/vfs_super.c:135 mount_fs+0x97/0x2a1 fs/super.c:1237 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 16723: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcc/0x270 mm/slab.c:3815 p9_fid_destroy+0x1cd/0x280 net/9p/client.c:957 9pnet_virtio: no channels available for device 127.0.0.1 p9_client_destroy.cold+0x61/0xac net/9p/client.c:1121 v9fs_session_close+0x4a/0x2c0 fs/9p/v9fs.c:511 v9fs_kill_super+0x4e/0xa0 fs/9p/vfs_super.c:233 deactivate_locked_super+0x74/0xe0 fs/super.c:319 sget_userns+0x9d9/0xc30 fs/super.c:537 sget+0xd6/0x120 fs/super.c:572 v9fs_mount+0xa8/0x870 fs/9p/vfs_super.c:141 mount_fs+0x97/0x2a1 fs/super.c:1237 9pnet_virtio: no channels available for device 127.0.0.1 vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x417/0x27d0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xab/0x120 fs/namespace.c:3072 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 9pnet_virtio: no channels available for device 127.0.0.1 9pnet_virtio: no channels available for device 127.0.0.1 The buggy address belongs to the object at ffff88807a711780 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 0 bytes inside of 96-byte region [ffff88807a711780, ffff88807a7117e0) The buggy address belongs to the page: page:ffffea0001e9c440 count:1 mapcount:0 mapping:ffff88807a711000 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff88807a711000 0000000000000000 0000000100000020 raw: ffffea00024a3c60 ffffea00022786e0 ffff8880aa8004c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807a711680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88807a711700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88807a711780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88807a711800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88807a711880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ================================================================== protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1