Extracting prog: 34.12060244s
Minimizing prog: 2m3.855992306s
Simplifying prog options: 0s
Extracting C: 35.482609458s
Simplifying C: 3m57.571388604s
16 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 16 programs
single: executing 4 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
detailed listing:
executing program 0:
r0 = syz_open_procfs$namespace(0x0, &(0x7f0000000000)='ns/pid_for_children\x00')
ioctl$NS_GET_PARENT(r0, 0x8004b708, 0x0)
program crashed: WARNING: lock held when returning to user space in ns_ioctl
single: successfully extracted reproducer
found reproducer with 2 syscalls
minimizing guilty program
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace
detailed listing:
executing program 0:
syz_open_procfs$namespace(0x0, &(0x7f0000000000)='ns/pid_for_children\x00')
program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$NS_GET_PARENT
detailed listing:
executing program 0:
ioctl$NS_GET_PARENT(0xffffffffffffffff, 0x8004b708, 0x0)
program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
detailed listing:
executing program 0:
r0 = syz_open_procfs$namespace(0x0, 0x0)
ioctl$NS_GET_PARENT(r0, 0x8004b708, 0x0)
program did not crash
extracting C reproducer
testing compiled C program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space!
simplifying C reproducer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs$namespace-ioctl$NS_GET_PARENT
program crashed: WARNING: lock held when returning to user space in ns_ioctl
reproducing took 7m11.030610108s
repro crashed as (corrupted=false):
================================================
WARNING: lock held when returning to user space!
6.10.0-syzkaller-04472-g51835949dda3 #0 Not tainted
------------------------------------------------
syz-executor221/5193 is leaving the kernel with locks still held!
1 lock held by syz-executor221/5193:
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: ns_ioctl+0x217/0x7b0 fs/nsfs.c:184
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:337
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5193, name: syz-executor221
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 2 PID: 5193 Comm: syz-executor221 Not tainted 6.10.0-syzkaller-04472-g51835949dda3 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
__might_resched+0x3c0/0x5e0 kernel/sched/core.c:8437
might_alloc include/linux/sched/mm.h:337 [inline]
prepare_alloc_pages.constprop.0+0x3d2/0x560 mm/page_alloc.c:4454
__alloc_pages_noprof+0x194/0x2460 mm/page_alloc.c:4672
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2265
vma_alloc_folio_noprof+0xad/0x1f0 mm/mempolicy.c:2304
folio_prealloc mm/memory.c:1048 [inline]
wp_page_copy mm/memory.c:3285 [inline]
do_wp_page+0xf51/0x3290 mm/memory.c:3677
handle_pte_fault mm/memory.c:5397 [inline]
__handle_mm_fault+0x2311/0x53d0 mm/memory.c:5524
handle_mm_fault+0x476/0xa00 mm/memory.c:5689
do_user_addr_fault+0x60d/0x13f0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fbc9c636b80
Code: 84 dd fe ff ff 4c 89 e7 e8 ed 90 00 00 e9 d0 fe ff ff 0f 1f 84 00 00 00 00 00 49 8b 06 48 89 45 00 48 85 c0 0f 85 85 00 00 00 05 49 25 0a 00 01 31 c0 87 05 19 21 0a 00 83 f8 01 0f 8f 84 00
RSP: 002b:00007ffeee7b5950 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00007fbc9c6d7ab8
RBP: 00007fbc9c6d6110 R08: 0000000000000000 R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc9c6d8ca8
R13: 0000000000000000 R14: 00007fbc9c6d8cc0 R15: 00007fbc9c62fa60
final repro crashed as (corrupted=false):
================================================
WARNING: lock held when returning to user space!
6.10.0-syzkaller-04472-g51835949dda3 #0 Not tainted
------------------------------------------------
syz-executor221/5193 is leaving the kernel with locks still held!
1 lock held by syz-executor221/5193:
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
#0: ffffffff8dbb15e0 (rcu_read_lock){....}-{1:2}, at: ns_ioctl+0x217/0x7b0 fs/nsfs.c:184
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:337
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5193, name: syz-executor221
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 2 PID: 5193 Comm: syz-executor221 Not tainted 6.10.0-syzkaller-04472-g51835949dda3 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
__might_resched+0x3c0/0x5e0 kernel/sched/core.c:8437
might_alloc include/linux/sched/mm.h:337 [inline]
prepare_alloc_pages.constprop.0+0x3d2/0x560 mm/page_alloc.c:4454
__alloc_pages_noprof+0x194/0x2460 mm/page_alloc.c:4672
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2265
vma_alloc_folio_noprof+0xad/0x1f0 mm/mempolicy.c:2304
folio_prealloc mm/memory.c:1048 [inline]
wp_page_copy mm/memory.c:3285 [inline]
do_wp_page+0xf51/0x3290 mm/memory.c:3677
handle_pte_fault mm/memory.c:5397 [inline]
__handle_mm_fault+0x2311/0x53d0 mm/memory.c:5524
handle_mm_fault+0x476/0xa00 mm/memory.c:5689
do_user_addr_fault+0x60d/0x13f0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fbc9c636b80
Code: 84 dd fe ff ff 4c 89 e7 e8 ed 90 00 00 e9 d0 fe ff ff 0f 1f 84 00 00 00 00 00 49 8b 06 48 89 45 00 48 85 c0 0f 85 85 00 00 00 05 49 25 0a 00 01 31 c0 87 05 19 21 0a 00 83 f8 01 0f 8f 84 00
RSP: 002b:00007ffeee7b5950 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00007fbc9c6d7ab8
RBP: 00007fbc9c6d6110 R08: 0000000000000000 R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc9c6d8ca8
R13: 0000000000000000 R14: 00007fbc9c6d8cc0 R15: 00007fbc9c62fa60