bisecting cause commit starting from 2f4c4d833153517c7791318f8608cf5c212cef68 building syzkaller on e955ac5009431b0201f2e3cf548472bb8acea696 testing commit 2f4c4d833153517c7791318f8608cf5c212cef68 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in snd_seq_kernel_client_ctl testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 2f4c4d833153517c7791318f8608cf5c212cef68 v5.0 Bisecting: 9934 revisions left to test after this (roughly 13 steps) [92fff53b7191cae566be9ca6752069426c7f8241] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 92fff53b7191cae566be9ca6752069426c7f8241 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 92fff53b7191cae566be9ca6752069426c7f8241 Bisecting: 4995 revisions left to test after this (roughly 12 steps) [481a299e574f9a39fe9c81ef301f884072cbbe19] Merge remote-tracking branch 'jc_docs/docs-next' testing commit 481a299e574f9a39fe9c81ef301f884072cbbe19 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 481a299e574f9a39fe9c81ef301f884072cbbe19 Bisecting: 2485 revisions left to test after this (roughly 11 steps) [0332aa3127d78fa09021083897daa2f892e1f0c7] Merge remote-tracking branch 'drm-misc/for-linux-next' testing commit 0332aa3127d78fa09021083897daa2f892e1f0c7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0332aa3127d78fa09021083897daa2f892e1f0c7 Bisecting: 1334 revisions left to test after this (roughly 10 steps) [8f7b8f12d0ea41d76abb584cf4a5de9198377496] Merge remote-tracking branch 'thunderbolt/next' testing commit 8f7b8f12d0ea41d76abb584cf4a5de9198377496 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad 8f7b8f12d0ea41d76abb584cf4a5de9198377496 Bisecting: 581 revisions left to test after this (roughly 9 steps) [7b7709c64890fe91fca6c0db5bd7aaa7b46f9ef2] Merge remote-tracking branch 'apparmor/apparmor-next' testing commit 7b7709c64890fe91fca6c0db5bd7aaa7b46f9ef2 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #1: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #2: crashed: INFO: task hung in odev_open run #3: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #4: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #5: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #6: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #7: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #8: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #9: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad 7b7709c64890fe91fca6c0db5bd7aaa7b46f9ef2 Bisecting: 326 revisions left to test after this (roughly 8 steps) [8731aa5e4a1a742c3ab4af2b71525034cbcaac6f] Merge remote-tracking branch 'input/next' testing commit 8731aa5e4a1a742c3ab4af2b71525034cbcaac6f with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad 8731aa5e4a1a742c3ab4af2b71525034cbcaac6f Bisecting: 120 revisions left to test after this (roughly 7 steps) [6bfff707985fff14fa79c851e53f9630e76a4860] dt-bindings: sound: rockchip: add compatible for rk3308/px30 testing commit 6bfff707985fff14fa79c851e53f9630e76a4860 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6bfff707985fff14fa79c851e53f9630e76a4860 Bisecting: 61 revisions left to test after this (roughly 6 steps) [f05dfd3f1cdc3833e21d74c0cf9b6d355ac8a2cd] Merge branch 'asoc-5.2' into asoc-next testing commit f05dfd3f1cdc3833e21d74c0cf9b6d355ac8a2cd with gcc (GCC) 8.1.0 all runs: OK # git bisect good f05dfd3f1cdc3833e21d74c0cf9b6d355ac8a2cd Bisecting: 31 revisions left to test after this (roughly 5 steps) [341a596bcbddd8597624a60c3a65118e8b2053fc] Merge remote-tracking branch 'regmap/for-next' testing commit 341a596bcbddd8597624a60c3a65118e8b2053fc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 341a596bcbddd8597624a60c3a65118e8b2053fc Bisecting: 15 revisions left to test after this (roughly 4 steps) [4b24b960b10b6a4e30beba3ce097fa867b4a085f] ALSA: seq: Align temporary re-locking with irqsave version testing commit 4b24b960b10b6a4e30beba3ce097fa867b4a085f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4b24b960b10b6a4e30beba3ce097fa867b4a085f Bisecting: 8 revisions left to test after this (roughly 3 steps) [068b55cb4b1549cca88517f9dad37374d8eafaaa] Merge remote-tracking branch 'sound-asoc/for-next' testing commit 068b55cb4b1549cca88517f9dad37374d8eafaaa with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad 068b55cb4b1549cca88517f9dad37374d8eafaaa Bisecting: 3 revisions left to test after this (roughly 2 steps) [2eabc5ec8ab4d4748a82050dfcb994119b983750] ALSA: seq: Fix race of get-subscription call vs port-delete ioctls testing commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad 2eabc5ec8ab4d4748a82050dfcb994119b983750 Bisecting: 0 revisions left to test after this (roughly 1 step) [feb689025fbb6f0aa6297d3ddf97de945ea4ad32] ALSA: seq: Protect in-kernel ioctl calls with mutex testing commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #1: crashed: INFO: task hung in odev_open run #2: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #3: crashed: INFO: task hung in odev_release run #4: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #5: crashed: INFO: task hung in odev_open run #6: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #7: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #8: crashed: INFO: task hung in snd_seq_kernel_client_ctl run #9: crashed: INFO: task hung in snd_seq_kernel_client_ctl # git bisect bad feb689025fbb6f0aa6297d3ddf97de945ea4ad32 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f823b8a75527dca0b93cf577bbabbe47fd79b2a8] ALSA: seq: Remove superfluous irqsave flags testing commit f823b8a75527dca0b93cf577bbabbe47fd79b2a8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f823b8a75527dca0b93cf577bbabbe47fd79b2a8 feb689025fbb6f0aa6297d3ddf97de945ea4ad32 is the first bad commit commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 Author: Takashi Iwai Date: Tue Apr 9 17:35:22 2019 +0200 ALSA: seq: Protect in-kernel ioctl calls with mutex ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai :040000 040000 91218bc77168f5b6f2c77a9b4eb125e44d53f0f8 344e5b0ccda71d84aec05d3331f445b75592998d M sound revisions tested: 16, total time: 4h7m22.783101682s (build: 1h33m46.276283812s, test: 2h27m37.658853539s) first bad commit: feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ALSA: seq: Protect in-kernel ioctl calls with mutex cc: ["alsa-devel@alsa-project.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"] crash: INFO: task hung in snd_seq_kernel_client_ctl INFO: task syz-executor.0:8618 blocked for more than 143 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.0 D28376 8618 8599 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 snd_seq_kernel_client_ctl+0xd2/0x150 sound/core/seq/seq_clientmgr.c:2351 snd_seq_oss_control sound/core/seq/oss/seq_oss_device.h:157 [inline] snd_seq_oss_writeq_clear+0xdf/0x140 sound/core/seq/oss/seq_oss_writeq.c:85 snd_seq_oss_writeq_delete+0x12/0x20 sound/core/seq/oss/seq_oss_writeq.c:69 free_devinfo+0x5c/0xb0 sound/core/seq/oss/seq_oss_init.c:406 port_delete+0xd3/0x170 sound/core/seq/seq_ports.c:272 snd_seq_delete_port+0x27c/0x380 sound/core/seq/seq_ports.c:301 snd_seq_ioctl_delete_port+0xa0/0x170 sound/core/seq/seq_clientmgr.c:1321 snd_seq_kernel_client_ctl+0xfe/0x150 sound/core/seq/seq_clientmgr.c:2352 snd_seq_event_port_detach+0xa4/0xe0 sound/core/seq/seq_ports.c:702 delete_port+0x66/0xa0 sound/core/seq/oss/seq_oss_init.c:354 snd_seq_oss_release+0xda/0x110 sound/core/seq/oss/seq_oss_init.c:433 odev_release+0x49/0x70 sound/core/seq/oss/seq_oss.c:153 __fput+0x252/0x800 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x10e/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x40d/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4120b1 Code: 48 c7 44 24 08 0c 00 00 00 e8 db 8f 01 00 48 8b 44 24 28 48 89 04 24 e8 7d 8e 01 00 48 8d 05 2a 0e 23 00 48 89 04 24 48 c7 44 <24> 08 0c 00 00 00 e8 b4 8f 01 00 48 8b 44 24 30 48 89 04 24 e8 e6 RSP: 002b:00007ffc34bdaa10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004120b1 RDX: 0000001b2d020000 RSI: 00000000007400b0 RDI: 0000000000000003 RBP: 000000000073c900 R08: 0000000000010ebd R09: 0000000000010ebd R10: 00007ffc34bdaae0 R11: 0000000000000293 R12: ffffffffffffffff R13: 0000000000010ebe R14: 00000000000003e8 R15: 000000000073bf0c INFO: task syz-executor.1:8622 blocked for more than 143 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.1 D28560 8622 8597 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 <83> c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 RSP: 002b:00007faf8f262c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007faf8f2636d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.1:8635 blocked for more than 144 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.1 D29544 8635 8597 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 <83> c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 RSP: 002b:00007faf8f241c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007faf8f2426d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.4:8625 blocked for more than 144 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.4 D29544 8625 8601 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 <83> c7 10 0f 10 06 48 83 c6 10 0f 11 07 48 83 c7 10 0f 10 06 48 83 RSP: 002b:00007f492e0a1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f492e0a26d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.4:8636 blocked for more than 144 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.4 D29544 8636 8601 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007f492e080c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f492e0816d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.5:8628 blocked for more than 145 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.5 D29544 8628 8606 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007f14b3317c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f14b33186d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.5:8637 blocked for more than 145 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.5 D29544 8637 8606 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007f14b32f6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f14b32f76d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.2:8631 blocked for more than 145 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.2 D29544 8631 8603 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007f0fd2218c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fd22196d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.2:8638 blocked for more than 146 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.2 D29544 8638 8603 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007f0fd21f7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0fd21f86d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: task syz-executor.3:8634 blocked for more than 146 seconds. Not tainted 5.1.0-rc1+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.3 D28520 8634 8605 0x00000004 Call Trace: context_switch kernel/sched/core.c:2877 [inline] __schedule+0x904/0x1c20 kernel/sched/core.c:3518 schedule+0x7f/0x180 kernel/sched/core.c:3562 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3620 __mutex_lock_common kernel/locking/mutex.c:1002 [inline] __mutex_lock+0x806/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 odev_open+0x59/0x80 sound/core/seq/oss/seq_oss.c:137 soundcore_open+0x3d0/0x5e0 sound/sound_core.c:597 chrdev_open+0x1f0/0x5c0 fs/char_dev.c:417 do_dentry_open+0x3e2/0xf40 fs/open.c:771 vfs_open+0x9a/0xc0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0xb52/0x3d10 fs/namei.c:3533 do_filp_open+0x177/0x250 fs/namei.c:3563 do_sys_open+0x1dd/0x370 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x98/0xf0 fs/open.c:1084 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: Bad RIP value. RSP: 002b:00007ff76c907c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582f9 RDX: 0000000000000001 RSI: 00000000200019c0 RDI: ffffffffffffff9c RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff76c9086d4 R13: 00000000004c46b4 R14: 00000000004d80e8 R15: 00000000ffffffff INFO: lockdep is turned off. NMI backtrace for cpu 0 CPU: 0 PID: 1039 Comm: khungtaskd Not tainted 5.1.0-rc1+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x3e/0x76 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x121/0x15b lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:204 [inline] watchdog+0x592/0xb20 kernel/hung_task.c:288 kthread+0x327/0x3f0 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Sending NMI from CPU 0 to CPUs 1: