bisecting cause commit starting from 6ba1b005ffc388c2aeaddae20da29e4810dea298 building syzkaller on 19a8de55e59983d1ec21e544a4f35fb1ca4438a5 testing commit 6ba1b005ffc388c2aeaddae20da29e4810dea298 with gcc (GCC) 8.1.0 kernel signature: 23a5d58d2fb784d8c89bba8aecec34bd5bf4b370fdc31557c4e2974e8e930f46 run #0: crashed: INFO: task hung in pipe_release run #1: crashed: INFO: task hung in pipe_release run #2: crashed: INFO: task hung in pipe_release run #3: crashed: INFO: task hung in pipe_release run #4: crashed: INFO: task hung in pipe_release run #5: crashed: INFO: task hung in pipe_release run #6: crashed: INFO: task hung in pipe_release run #7: crashed: INFO: task hung in pipe_release run #8: crashed: INFO: task hung in pipe_release run #9: boot failed: can't ssh into the instance testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 4079de4732000a35234faa7f1f3045450f643ed11723ade49ae21daf5a98976f all runs: crashed: INFO: task hung in pipe_release testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: dec452fe443397abd6377a46b3a48beec4a22ba6d3f57dc412c34a1209e6458c all runs: crashed: INFO: task hung in pipe_release testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 0b133a9f9886ceb5ce7db2086d5d256f5754f34e03f676771eb3874b4ed4b783 all runs: OK # git bisect start 7111951b8d4973bda27ff663f2cf18b663d15b48 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 6113 revisions left to test after this (roughly 13 steps) [9f68e3655aae6d49d6ba05dd263f99f33c2567af] Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0 kernel signature: 5ef019808938f567db79d40bcd57431bc6d0a2206a1d88777308ab20a93abea8 all runs: crashed: INFO: task hung in pipe_release # git bisect bad 9f68e3655aae6d49d6ba05dd263f99f33c2567af Bisecting: 3686 revisions left to test after this (roughly 12 steps) [fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0 kernel signature: 95f54547e85174a561d09eb9c73bfa1556668d9df216d69855483491fe91f4ba run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good fb95aae6e67c4e319a24b3eea32032d4246a5335 Bisecting: 1843 revisions left to test after this (roughly 11 steps) [8815a94f27d2f30fe1216ce10c7da0f6ae69ca0f] drm/vmwgfx: move the require_exist handling together testing commit 8815a94f27d2f30fe1216ce10c7da0f6ae69ca0f with gcc (GCC) 8.1.0 kernel signature: 7197807346966ed02e6e62d296d0f255dc9c9358c29cb7d7a406626d2c296ed7 all runs: boot failed: general protection fault in do_mount_root # git bisect skip 8815a94f27d2f30fe1216ce10c7da0f6ae69ca0f Bisecting: 1842 revisions left to test after this (roughly 11 steps) [4872e6aa217fbb475ffa0ad7bda0d9acff543f2c] drm/vmwgfx: check master authentication in surface_ref ioctls testing commit 4872e6aa217fbb475ffa0ad7bda0d9acff543f2c with gcc (GCC) 8.1.0 kernel signature: 00addf7fda3ab5de59f8fcfb0ca1ccc347bf75dc6ac7e86317e4de199c5c7abb all runs: boot failed: general protection fault in do_mount_root # git bisect skip 4872e6aa217fbb475ffa0ad7bda0d9acff543f2c Bisecting: 1842 revisions left to test after this (roughly 11 steps) [fa889d85551e0bd962fdefe1cc113f9ba1d04a36] Merge tag 'gpio-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit fa889d85551e0bd962fdefe1cc113f9ba1d04a36 with gcc (GCC) 8.1.0 kernel signature: 12eafb61e7e8ae3cc3b90f58f0a50ebf82655d49af9122442bbaee5f6f95c1c7 all runs: OK # git bisect good fa889d85551e0bd962fdefe1cc113f9ba1d04a36 Bisecting: 1827 revisions left to test after this (roughly 11 steps) [dd22dfa62c9cb2669ed4b181e359645108c69578] Merge branch 'linux-5.6' of git://github.com/skeggsb/linux into drm-next testing commit dd22dfa62c9cb2669ed4b181e359645108c69578 with gcc (GCC) 8.1.0 kernel signature: e9c3d61a61d6d76588aaf3ef91e423b08f6b92e5b2cc675afd41c4b34ab83354 all runs: boot failed: general protection fault in do_mount_root # git bisect skip dd22dfa62c9cb2669ed4b181e359645108c69578 Bisecting: 1827 revisions left to test after this (roughly 11 steps) [1d47d0bb72895e754ffbdc410314ddb9c790c6fa] fbdev: omapfb: use devm_platform_ioremap_resource() to simplify code testing commit 1d47d0bb72895e754ffbdc410314ddb9c790c6fa with gcc (GCC) 8.1.0 kernel signature: d065984fb58b7cdaad9ec37d45d2de2b464b4fa5af7e09a7c2c42cd2bf6db903 all runs: OK # git bisect good 1d47d0bb72895e754ffbdc410314ddb9c790c6fa Bisecting: 1573 revisions left to test after this (roughly 11 steps) [3d4743131b8de970faa4b979ead0fadfe5d2de9d] Backmerge v5.5-rc7 into drm-next testing commit 3d4743131b8de970faa4b979ead0fadfe5d2de9d with gcc (GCC) 8.1.0 kernel signature: 73bf53ff2e6a5581d5219a47210e9407e01badda86a08c06d7d164446cb1af19 all runs: OK # git bisect good 3d4743131b8de970faa4b979ead0fadfe5d2de9d Bisecting: 751 revisions left to test after this (roughly 10 steps) [7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838] Merge tag 'staging-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838 with gcc (GCC) 8.1.0 kernel signature: cc63cf2f50c9e7a1c76d1cbfb8e9dee2e6ed9a211885ae37a17a71eabd850c64 all runs: OK # git bisect good 7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838 Bisecting: 303 revisions left to test after this (roughly 9 steps) [33c84e89abe4a92ab699c33029bd54269d574782] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 33c84e89abe4a92ab699c33029bd54269d574782 with gcc (GCC) 8.1.0 kernel signature: 6a665a6a615f7295c1c22b684f011f04487a3d3c8401a596d298ba50549800be all runs: crashed: INFO: task hung in pipe_release # git bisect bad 33c84e89abe4a92ab699c33029bd54269d574782 Bisecting: 223 revisions left to test after this (roughly 8 steps) [ce7ae9d9fe4391413db680ce0732da2144b6f4a3] Merge tag 'linux-kselftest-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit ce7ae9d9fe4391413db680ce0732da2144b6f4a3 with gcc (GCC) 8.1.0 kernel signature: 8a0c05df2bdc88c709fa35ae51239abca3c0d27400857059e5704b7491b5836e all runs: crashed: INFO: task hung in pipe_release # git bisect bad ce7ae9d9fe4391413db680ce0732da2144b6f4a3 Bisecting: 105 revisions left to test after this (roughly 7 steps) [701a9c8092ddf299d7f90ab2d66b19b4526d1186] Merge tag 'char-misc-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 701a9c8092ddf299d7f90ab2d66b19b4526d1186 with gcc (GCC) 8.1.0 kernel signature: ebcc23500842a05029fc8fe7ec222b03846650875356d0fc6f337af447314461 all runs: OK # git bisect good 701a9c8092ddf299d7f90ab2d66b19b4526d1186 Bisecting: 63 revisions left to test after this (roughly 6 steps) [587065dcac64e88132803cdb0a7f26bb4a79cf46] fs/adfs: bigdir: Fix an error code in adfs_fplus_read() testing commit 587065dcac64e88132803cdb0a7f26bb4a79cf46 with gcc (GCC) 8.1.0 kernel signature: 5f552f4b06eb94a5cf8ada7f20130c152b800949a8ceabecae8e705f1263a18c all runs: OK # git bisect good 587065dcac64e88132803cdb0a7f26bb4a79cf46 Bisecting: 32 revisions left to test after this (roughly 5 steps) [3893c2025fec6f0fa4b2d794f36bd56a55e46dec] Merge tag 'erofs-for-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs testing commit 3893c2025fec6f0fa4b2d794f36bd56a55e46dec with gcc (GCC) 8.1.0 kernel signature: f4c3e20cbe4ec2c5c029f26447f54384e69dd0c3424a0082d6f64404fd25c17c all runs: crashed: INFO: task hung in pipe_release # git bisect bad 3893c2025fec6f0fa4b2d794f36bd56a55e46dec Bisecting: 17 revisions left to test after this (roughly 4 steps) [b55eef872a96738ea9cb35774db5ce9a7d3a648f] Documentation: path-lookup: include new LOOKUP flags testing commit b55eef872a96738ea9cb35774db5ce9a7d3a648f with gcc (GCC) 8.1.0 kernel signature: e26c85444daa39ac513fae9ab1621f26d7136bec29b3f5ff0234e30969c3d324 all runs: crashed: INFO: task hung in pipe_release # git bisect bad b55eef872a96738ea9cb35774db5ce9a7d3a648f Bisecting: 6 revisions left to test after this (roughly 3 steps) [4b99d4996979d582859c5a49072e92de124bf691] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution testing commit 4b99d4996979d582859c5a49072e92de124bf691 with gcc (GCC) 8.1.0 kernel signature: 5626ebc58bd719a34398cd2e9a23bb0f647c0c68dd13db5b86ffd2c77de75b00 all runs: OK # git bisect good 4b99d4996979d582859c5a49072e92de124bf691 Bisecting: 3 revisions left to test after this (roughly 2 steps) [8db52c7e7ee1bd861b6096fcafc0fe7d0f24a994] namei: LOOKUP_IN_ROOT: chroot-like scoped resolution testing commit 8db52c7e7ee1bd861b6096fcafc0fe7d0f24a994 with gcc (GCC) 8.1.0 kernel signature: 183a1865f293a513efdb1fa5bd3d7afa0f965b3f352b23f45473627a4e029241 all runs: OK # git bisect good 8db52c7e7ee1bd861b6096fcafc0fe7d0f24a994 Bisecting: 1 revision left to test after this (roughly 1 step) [fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179] open: introduce openat2(2) syscall testing commit fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179 with gcc (GCC) 8.1.0 kernel signature: e8cfa368c5a67bf146c403561ab7997cbff240f1a81e81b2d55b32a459f604e7 all runs: crashed: INFO: task hung in pipe_release # git bisect bad fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ab87f9a56c8ee9fa6856cb13d8f2905db913baae] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution testing commit ab87f9a56c8ee9fa6856cb13d8f2905db913baae with gcc (GCC) 8.1.0 kernel signature: a93372ec7e59741a97956be4db3dcfbf41bb7544d1adfa7dc53c5ebe4c798cd1 all runs: OK # git bisect good ab87f9a56c8ee9fa6856cb13d8f2905db913baae fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179 is the first bad commit commit fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179 Author: Aleksa Sarai Date: Sat Jan 18 23:07:59 2020 +1100 open: introduce openat2(2) syscall /* Background. */ For a very long time, extending openat(2) with new features has been incredibly frustrating. This stems from the fact that openat(2) is possibly the most famous counter-example to the mantra "don't silently accept garbage from userspace" -- it doesn't check whether unknown flags are present[1]. This means that (generally) the addition of new flags to openat(2) has been fraught with backwards-compatibility issues (O_TMPFILE has to be defined as __O_TMPFILE|O_DIRECTORY|[O_RDWR or O_WRONLY] to ensure old kernels gave errors, since it's insecure to silently ignore the flag[2]). All new security-related flags therefore have a tough road to being added to openat(2). Userspace also has a hard time figuring out whether a particular flag is supported on a particular kernel. While it is now possible with contemporary kernels (thanks to [3]), older kernels will expose unknown flag bits through fcntl(F_GETFL). Giving a clear -EINVAL during openat(2) time matches modern syscall designs and is far more fool-proof. In addition, the newly-added path resolution restriction LOOKUP flags (which we would like to expose to user-space) don't feel related to the pre-existing O_* flag set -- they affect all components of path lookup. We'd therefore like to add a new flag argument. Adding a new syscall allows us to finally fix the flag-ignoring problem, and we can make it extensible enough so that we will hopefully never need an openat3(2). /* Syscall Prototype. */ /* * open_how is an extensible structure (similar in interface to * clone3(2) or sched_setattr(2)). The size parameter must be set to * sizeof(struct open_how), to allow for future extensions. All future * extensions will be appended to open_how, with their zero value * acting as a no-op default. */ struct open_how { /* ... */ }; int openat2(int dfd, const char *pathname, struct open_how *how, size_t size); /* Description. */ The initial version of 'struct open_how' contains the following fields: flags Used to specify openat(2)-style flags. However, any unknown flag bits or otherwise incorrect flag combinations (like O_PATH|O_RDWR) will result in -EINVAL. In addition, this field is 64-bits wide to allow for more O_ flags than currently permitted with openat(2). mode The file mode for O_CREAT or O_TMPFILE. Must be set to zero if flags does not contain O_CREAT or O_TMPFILE. resolve Restrict path resolution (in contrast to O_* flags they affect all path components). The current set of flags are as follows (at the moment, all of the RESOLVE_ flags are implemented as just passing the corresponding LOOKUP_ flag). RESOLVE_NO_XDEV => LOOKUP_NO_XDEV RESOLVE_NO_SYMLINKS => LOOKUP_NO_SYMLINKS RESOLVE_NO_MAGICLINKS => LOOKUP_NO_MAGICLINKS RESOLVE_BENEATH => LOOKUP_BENEATH RESOLVE_IN_ROOT => LOOKUP_IN_ROOT open_how does not contain an embedded size field, because it is of little benefit (userspace can figure out the kernel open_how size at runtime fairly easily without it). It also only contains u64s (even though ->mode arguably should be a u16) to avoid having padding fields which are never used in the future. Note that as a result of the new how->flags handling, O_PATH|O_TMPFILE is no longer permitted for openat(2). As far as I can tell, this has always been a bug and appears to not be used by userspace (and I've not seen any problems on my machines by disallowing it). If it turns out this breaks something, we can special-case it and only permit it for openat(2) but not openat2(2). After input from Florian Weimer, the new open_how and flag definitions are inside a separate header from uapi/linux/fcntl.h, to avoid problems that glibc has with importing that header. /* Testing. */ In a follow-up patch there are over 200 selftests which ensure that this syscall has the correct semantics and will correctly handle several attack scenarios. In addition, I've written a userspace library[4] which provides convenient wrappers around openat2(RESOLVE_IN_ROOT) (this is necessary because no other syscalls support RESOLVE_IN_ROOT, and thus lots of care must be taken when using RESOLVE_IN_ROOT'd file descriptors with other syscalls). During the development of this patch, I've run numerous verification tests using libpathrs (showing that the API is reasonably usable by userspace). /* Future Work. */ Additional RESOLVE_ flags have been suggested during the review period. These can be easily implemented separately (such as blocking auto-mount during resolution). Furthermore, there are some other proposed changes to the openat(2) interface (the most obvious example is magic-link hardening[5]) which would be a good opportunity to add a way for userspace to restrict how O_PATH file descriptors can be re-opened. Another possible avenue of future work would be some kind of CHECK_FIELDS[6] flag which causes the kernel to indicate to userspace which openat2(2) flags and fields are supported by the current kernel (to avoid userspace having to go through several guesses to figure it out). [1]: https://lwn.net/Articles/588444/ [2]: https://lore.kernel.org/lkml/CA+55aFyyxJL1LyXZeBsf2ypriraj5ut1XkNDsunRBqgVjZU_6Q@mail.gmail.com [3]: commit 629e014bb834 ("fs: completely ignore unknown open flags") [4]: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 [5]: https://lore.kernel.org/lkml/20190930183316.10190-2-cyphar@cyphar.com/ [6]: https://youtu.be/ggD-eb3yPVs Suggested-by: Christian Brauner Signed-off-by: Aleksa Sarai Signed-off-by: Al Viro CREDITS | 4 +- MAINTAINERS | 1 + arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + fs/open.c | 147 +++++++++++++++++++++------- include/linux/fcntl.h | 16 ++- include/linux/syscalls.h | 3 + include/uapi/asm-generic/unistd.h | 5 +- include/uapi/linux/fcntl.h | 2 +- include/uapi/linux/openat2.h | 39 ++++++++ 26 files changed, 198 insertions(+), 39 deletions(-) create mode 100644 include/uapi/linux/openat2.h culprit signature: e8cfa368c5a67bf146c403561ab7997cbff240f1a81e81b2d55b32a459f604e7 parent signature: a93372ec7e59741a97956be4db3dcfbf41bb7544d1adfa7dc53c5ebe4c798cd1 revisions tested: 23, total time: 5h52m2.12250762s (build: 2h27m15.325511592s, test: 3h22m16.638813836s) first bad commit: fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179 open: introduce openat2(2) syscall recipients (to): ["James.Bottomley@HansenPartnership.com" "arnd@arndb.de" "borntraeger@de.ibm.com" "christian@brauner.io" "cyphar@cyphar.com" "dalias@libc.org" "deller@gmx.de" "geert@linux-m68k.org" "gor@linux.ibm.com" "heiko.carstens@de.ibm.com" "jhogan@kernel.org" "linux-alpha@vger.kernel.org" "linux-api@vger.kernel.org" "linux-arch@vger.kernel.org" "linux-arm-kernel@lists.infradead.org" "linux-m68k@lists.linux-m68k.org" "linux-mips@vger.kernel.org" "linux-parisc@vger.kernel.org" "linux-s390@vger.kernel.org" "linux-sh@vger.kernel.org" "luto@kernel.org" "monstr@monstr.eu" "paulburton@kernel.org" "ralf@linux-mips.org" "viro@zeniv.linux.org.uk" "ysato@users.sourceforge.jp"] recipients (cc): ["amanieu@gmail.com" "benh@kernel.crashing.org" "bfields@fieldses.org" "bp@alien8.de" "catalin.marinas@arm.com" "chris@zankel.net" "corbet@lwn.net" "davem@davemloft.net" "fenghua.yu@intel.com" "hpa@zytor.com" "ink@jurassic.park.msu.ru" "jcmvbkbc@gmail.com" "jlayton@kernel.org" "kvalo@codeaurora.org" "linux-fsdevel@vger.kernel.org" "linux-ia64@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux-xtensa@linux-xtensa.org" "linux@armlinux.org.uk" "linux@dominikbrodowski.net" "linuxppc-dev@lists.ozlabs.org" "luis.f.correia@gmail.com" "martink@posteo.de" "mattst88@gmail.com" "mingo@redhat.com" "mpe@ellerman.id.au" "paulus@samba.org" "rth@twiddle.net" "samitolvanen@google.com" "sparclinux@vger.kernel.org" "svens@stackframe.org" "tglx@linutronix.de" "tony.luck@intel.com" "viro@zeniv.linux.org.uk" "will@kernel.org" "x86@kernel.org"] crash: INFO: task hung in pipe_release INFO: task syz-executor.5:8470 blocked for more than 143 seconds. Not tainted 5.5.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.5 D27672 8470 7101 0x00000004 Call Trace: schedule+0xc4/0x2b0 kernel/sched/core.c:4155 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4214 __mutex_lock_common kernel/locking/mutex.c:1036 [inline] __mutex_lock+0x8a0/0x13e0 kernel/locking/mutex.c:1106 __pipe_lock fs/pipe.c:86 [inline] pipe_release+0x42/0x1b0 fs/pipe.c:680 __fput+0x256/0x780 fs/file_table.c:280 task_work_run+0x103/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x23d/0x2d0 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x4f8/0x5e0 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x415ee1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffd02984160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000415ee1 RDX: 0000000000000000 RSI: 00000000007904d0 RDI: 0000000000000006 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ffd02984250 R11: 0000000000000293 R12: 00000000007905a8 R13: 000000000000ca93 R14: ffffffffffffffff R15: 000000000078bfac Showing all locks held in the system: 2 locks held by kworker/u4:7/450: #0: ffff8880ae837398 (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1215 [inline] #0: ffff8880ae837398 (&rq->lock){-.-.}, at: __schedule+0x23c/0x1970 kernel/sched/core.c:4029 #1: ffffffff8899a280 (rcu_read_lock){....}, at: trace_sched_stat_runtime include/trace/events/sched.h:435 [inline] #1: ffffffff8899a280 (rcu_read_lock){....}, at: update_curr+0x302/0x8c0 kernel/sched/fair.c:859 1 lock held by khungtaskd/1059: #0: ffffffff8899a280 (rcu_read_lock){....}, at: debug_show_all_locks+0x52/0x28d kernel/locking/lockdep.c:5332 1 lock held by in:imklog/6480: #0: ffff88809a855b60 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x96/0xb0 fs/file.c:801 1 lock held by syz-executor.5/8470: #0: ffff888088f32060 (&pipe->mutex/1){+.+.}, at: __pipe_lock fs/pipe.c:86 [inline] #0: ffff888088f32060 (&pipe->mutex/1){+.+.}, at: pipe_release+0x42/0x1b0 fs/pipe.c:680 3 locks held by syz-executor.5/8478: ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1059 Comm: khungtaskd Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 nmi_cpu_backtrace.cold.7+0x4b/0x83 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x183/0x1ac lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] watchdog+0x629/0xc70 kernel/hung_task.c:289 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 8478 Comm: syz-executor.5 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:iov_iter_alignment+0x287/0x670 lib/iov_iter.c:1234 Code: 48 89 ce 44 89 f5 31 c0 48 c1 ee 03 45 31 f6 41 b8 00 10 00 00 49 bf 00 00 00 00 00 fc ff df 4c 01 fe 85 ed 0f 84 b7 fe ff ff <80> 3e 00 0f 85 12 03 00 00 45 89 f4 49 c1 e4 04 4d 01 ec 49 8d 7c RSP: 0018:ffffc900046875d0 EFLAGS: 00000206 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90004687ce8 RDX: 0000000000000000 RSI: fffff520008d0f9d RDI: 0000000000000000 RBP: 0000000000001000 R08: 0000000000001000 R09: 0000000000000000 R10: 0000000000001000 R11: ffff8880ae838223 R12: ffff8880a7163000 R13: ffff8880a7163000 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fc6341f2700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f76b1d6e000 CR3: 000000009662d000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: iomap_dio_bio_actor+0x15b/0xd60 fs/iomap/direct-io.c:203 iomap_apply+0x1e7/0x930 fs/iomap/apply.c:80 iomap_dio_rw+0x840/0xe70 fs/iomap/direct-io.c:498 ext4_dio_write_iter fs/ext4/file.c:438 [inline] ext4_file_write_iter+0x559/0x1610 fs/ext4/file.c:545 call_write_iter include/linux/fs.h:1902 [inline] do_iter_readv_writev+0x4e5/0x7b0 fs/read_write.c:693 do_iter_write+0x123/0x530 fs/read_write.c:970 iter_file_splice_write+0x550/0xa20 fs/splice.c:760 do_splice_from fs/splice.c:863 [inline] do_splice+0x949/0x1500 fs/splice.c:1170 __do_sys_splice fs/splice.c:1447 [inline] __se_sys_splice fs/splice.c:1427 [inline] __x64_sys_splice+0x236/0x2c0 fs/splice.c:1427 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c369 Code: 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fc6341f1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 0000000000032240 RCX: 000000000045c369 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 000000000078bff8 R08: 000000000000ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac R13: 00007ffd029840ef R14: 00007fc6341f29c0 R15: 000000000078bfac