lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Jul 2022 15:00:56 -0700
From:   Dipanjan Das <mail.dipanjan.das@...il.com>
To:     efremov@...ux.com, axboe@...nel.dk, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     syzkaller@...glegroups.com, fleischermarius@...glemail.com,
        its.priyanka.bose@...il.com
Subject: INFO: task hung in __floppy_read_block_0

Hi,

We would like to report the following bug which has been found by our
modified version of syzkaller.

======================================================
description: INFO: task hung in __floppy_read_block_0
affected file: drivers/block/floppy.c
kernel version: 5.19-rc6
kernel commit: 32346491ddf24599decca06190ebca03ff9de7f8
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=cd73026ceaed1402
crash reproducer: attached
======================================================
Crash log:
======================================================
INFO: task syz-executor.1:9482 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D stack:27528 pid: 9482 ppid:  5005 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_timeout+0x5e5/0x890 kernel/time/timer.c:1911
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x182/0x360 kernel/sched/completion.c:138
 __floppy_read_block_0+0x1dd/0x290 drivers/block/floppy.c:4162
 floppy_revalidate+0x74f/0xa90 drivers/block/floppy.c:4206
 invalidate_drive+0xeb/0x120 drivers/block/floppy.c:3219
 fd_locked_ioctl+0xac1/0x1720 drivers/block/floppy.c:3467
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3574
 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70548d4ed
RSP: 002b:00007fa706530be8 EFLAGS: 00000246
 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa7055abf60 RCX: 00007fa70548d4ed
RDX: 0000000000000000 RSI: 0000000000000241 RDI: 0000000000000003
RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff9363b3ef R14: 00007fa7055abf60 R15: 00007fa706530d80
 </TASK>
INFO: task syz-executor.1:9490 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D stack:28120 pid: 9490 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 blkdev_get_by_dev block/bdev.c:814 [inline]
 blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
 blkdev_open+0x13c/0x2c0 block/fops.c:481
 do_dentry_open+0x4a1/0x11f0 fs/open.c:848
 do_open fs/namei.c:3520 [inline]
 path_openat+0x1c51/0x2890 fs/namei.c:3653
 do_filp_open+0x1c1/0x290 fs/namei.c:3680
 do_sys_openat2+0x61b/0x990 fs/open.c:1278
 do_sys_open+0xc3/0x140 fs/open.c:1294
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70543caf4
RSP: 002b:00007fa70650f710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4
RDX: 0000000000000003 RSI: 00007fa70650f7b0 RDI: 00000000ffffff9c
RBP: 00007fa70650f7b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007fff9363b3ef R14: 00007fa7055ac040 R15: 00007fa70650fd80
 </TASK>
INFO: task syz-executor.1:9498 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D stack:29272 pid: 9498 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70548d4ed
RSP: 002b:00007fa703a8bbe8 EFLAGS: 00000246
 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa7055ac120 RCX: 00007fa70548d4ed
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000003
RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff9363b3ef R14: 00007fa7055ac120 R15: 00007fa703a8bd80
 </TASK>
INFO: task syz-executor.1:9506 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D
 stack:29272 pid: 9506 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70548d4ed
RSP: 002b:00007fa70386abe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa7055ac200 RCX: 00007fa70548d4ed
RDX: 0000000000000000 RSI: 0000000000000247 RDI: 0000000000000003
RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff9363b3ef R14: 00007fa7055ac200 R15: 00007fa70386ad80
 </TASK>
INFO: task syz-executor.1:9523 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D
 stack:28120 pid: 9523 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 blkdev_get_by_dev block/bdev.c:814 [inline]
 blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
 blkdev_open+0x13c/0x2c0 block/fops.c:481
 do_dentry_open+0x4a1/0x11f0 fs/open.c:848
 do_open fs/namei.c:3520 [inline]
 path_openat+0x1c51/0x2890 fs/namei.c:3653
 do_filp_open+0x1c1/0x290 fs/namei.c:3680
 do_sys_openat2+0x61b/0x990 fs/open.c:1278
 do_sys_open+0xc3/0x140 fs/open.c:1294
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70543caf4
RSP: 002b:00007fa703649710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4
RDX: 0000000000000003 RSI: 00007fa7036497b0 RDI: 00000000ffffff9c
RBP: 00007fa7036497b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007fff9363b3ef R14: 00007fa7055ac2e0 R15: 00007fa703649d80
 </TASK>
INFO: task syz-executor.1:9526 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D stack:28120 pid: 9526 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 blkdev_get_by_dev block/bdev.c:814 [inline]
 blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
 blkdev_open+0x13c/0x2c0 block/fops.c:481
 do_dentry_open+0x4a1/0x11f0 fs/open.c:848
 do_open fs/namei.c:3520 [inline]
 path_openat+0x1c51/0x2890 fs/namei.c:3653
 do_filp_open+0x1c1/0x290 fs/namei.c:3680
 do_sys_openat2+0x61b/0x990 fs/open.c:1278
 do_sys_open+0xc3/0x140 fs/open.c:1294
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70543caf4
RSP: 002b:00007fa703428710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4
RDX: 0000000000000003 RSI: 00007fa7034287b0 RDI: 00000000ffffff9c
RBP: 00007fa7034287b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007fff9363b3ef R14: 00007fa7055ac3c0 R15: 00007fa703428d80
 </TASK>
INFO: task syz-executor.1:9537 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D
 stack:28584 pid: 9537 ppid:  5005 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa70548d4ed
RSP: 002b:00007fa703207be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa7055ac4a0 RCX: 00007fa70548d4ed
RDX: 0000000020000200 RSI: 0000000040200242 RDI: 0000000000000003
RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff9363b3ef R14: 00007fa7055ac4a0 R15: 00007fa703207d80
 </TASK>
INFO: task syz-executor.6:9486 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.6  state:D stack:28120 pid: 9486 ppid:  6033 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 floppy_open+0x7f/0xdb0 drivers/block/floppy.c:3994
 blkdev_get_whole+0x99/0x260 block/bdev.c:673
 blkdev_get_by_dev block/bdev.c:823 [inline]
 blkdev_get_by_dev+0x4a8/0xae0 block/bdev.c:787
 blkdev_open+0x13c/0x2c0 block/fops.c:481
 do_dentry_open+0x4a1/0x11f0 fs/open.c:848
 do_open fs/namei.c:3520 [inline]
 path_openat+0x1c51/0x2890 fs/namei.c:3653
 do_filp_open+0x1c1/0x290 fs/namei.c:3680
 do_sys_openat2+0x61b/0x990 fs/open.c:1278
 do_sys_open+0xc3/0x140 fs/open.c:1294
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f9e8623caf4
RSP: 002b:00007f9e8731f710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007f9e8623caf4
RDX: 0000000000000003 RSI: 00007f9e8731f7b0 RDI: 00000000ffffff9c
RBP: 00007f9e8731f7b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 00007ffe6d243b2f R14: 00007f9e863abf60 R15: 00007f9e8731fd80
 </TASK>
INFO: task syz-executor.5:9503 blocked for more than 143 seconds.
      Tainted: G           OE     5.19.0-rc6-g2eae0556bb9d #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.5  state:D stack:28120 pid: 9503 ppid:  6502 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5146 [inline]
 __schedule+0xa76/0x5140 kernel/sched/core.c:6458
 schedule+0xd2/0x1f0 kernel/sched/core.c:6530
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747
 blkdev_get_by_dev block/bdev.c:814 [inline]
 blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
 blkdev_open+0x13c/0x2c0 block/fops.c:481
 do_dentry_open+0x4a1/0x11f0 fs/open.c:848
 do_open fs/namei.c:3520 [inline]
 path_openat+0x1c51/0x2890 fs/namei.c:3653
 do_filp_open+0x1c1/0x290 fs/namei.c:3680
 do_sys_openat2+0x61b/0x990 fs/open.c:1278
 do_sys_open+0xc3/0x140 fs/open.c:1294
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fc9a783caf4
RSP: 002b:00007fc9a5f27710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fc9a783caf4
RDX: 0000000000000000 RSI: 00007fc9a5f277b0 RDI: 00000000ffffff9c
RBP: 00007fc9a5f277b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffda907f81f R14: 00007fc9a79abf60 R15: 00007fc9a5f27d80
 </TASK>

Showing all locks held in the system:
2 locks held by kworker/u4:1/12:
1 lock held by khungtaskd/30:
 #0: ffffffff8bd83aa0 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6491
1 lock held by in:imklog/6573:
 #0: ffff88810db62368 (&f->f_pos_lock){+.+.}-{3:3}, at:
__fdget_pos+0xe3/0x100 fs/file.c:1036
5 locks held by kworker/u4:4/8242:
 #0: ffff888063c39ed8 (&rq->__lock){-.-.}-{2:2}, at:
raw_spin_rq_lock_nested+0x2b/0x120 kernel/sched/core.c:544
 #1: ffff888063c277c8 (&per_cpu_ptr(group->pcpu,
cpu)->seq){-.-.}-{0:0}, at: process_one_work+0x8e4/0x1650
kernel/workqueue.c:2264
 #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at: claim_dma_lock
arch/x86/include/asm/dma.h:156 [inline]
 #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at: floppy_ready
drivers/block/floppy.c:1946 [inline]
 #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at:
floppy_ready+0xb27/0x19b0 drivers/block/floppy.c:1926
 #3: ffff888063c28398 (&base->lock){-.-.}-{2:2}
, at: lock_timer_base+0x5a/0x1f0 kernel/time/timer.c:999
 #4:
ffffffff911ba350
 (&obj_hash[i].lock
){-.-.}-{2:2}, at: console_lock_spinning_disable_and_check
kernel/printk/printk.c:1830 [inline]
){-.-.}-{2:2}, at: console_emit_next_record.constprop.0+0x40a/0x840
kernel/printk/printk.c:2737
1 lock held by syz-executor.1/9482:
 #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at:
fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
1 lock held by syz-executor.1/9490:
 #0: ffff8880174eb118 (
&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline]
&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0
block/bdev.c:787
1 lock held by syz-executor.1/9498:
 #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at:
fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
1 lock held by syz-executor.1/9506:
 #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at:
fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
1 lock held by syz-executor.1/9523:
 #0:
ffff8880174eb118
 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev
block/bdev.c:814 [inline]
 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0
block/bdev.c:787
1 lock held by syz-executor.1/9526:
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev block/bdev.c:814 [inline]
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
1 lock held by syz-executor.1/9537:
 #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at:
fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573
2 locks held by syz-executor.6/9486:
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev block/bdev.c:814 [inline]
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787
 #1: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at:
floppy_open+0x7f/0xdb0 drivers/block/floppy.c:3994
1 lock held by syz-executor.5/9503:
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev block/bdev.c:814 [inline]
 #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at:
blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 30 Comm: khungtaskd Tainted: G           OE
5.19.0-rc6-g2eae0556bb9d #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x1a1/0x1e0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline]
 watchdog+0xcc8/0x1010 kernel/hung_task.c:369
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 6574 Comm: rs:main Q:Reg Tainted: G           OE
5.19.0-rc6-g2eae0556bb9d #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__rq_lockp kernel/sched/sched.h:1179 [inline]
RIP: 0010:rq_pin_lock kernel/sched/sched.h:1525 [inline]
RIP: 0010:rq_lock_irqsave kernel/sched/sched.h:1587 [inline]
RIP: 0010:sched_ttwu_pending+0x114/0x570 kernel/sched/core.c:3741
Code: 00 00 00 00 00 00 00 9c 5d fa f7 c5 00 02 00 00 0f 85 12 03 00
00 31 f6 4c 89 ff e8 e6 ad fe ff 49 8d 87 58 0d 00 00 48 89 c2 <48> 89
44 24 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 48 89 6c
RSP: 0018:ffffc90000007d90 EFLAGS: 00000093
RAX: ffff888063c3ac18 RBX: ffff88812cffd8b8 RCX: 0000000000000000
RDX: ffff888063c3ac18 RSI: 0000000000000003 RDI: 0000000000000001
RBP: 0000000000000046 R08: fffff52000000f9c R09: fffff52000000f9d
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 1ffff92000000fb9 R14: ffff88812cffd8c0 R15: ffff888063c39ec0
FS:  00007f6eca9fd700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ec0000000 CR3: 000000001700a000 CR4: 0000000000150ef0
Call Trace:
 <IRQ>
 __flush_smp_call_function_queue+0x451/0x9a0 kernel/smp.c:681
 __sysvec_call_function_single+0x95/0x3e0 arch/x86/kernel/smp.c:248
 sysvec_call_function_single+0x40/0xc0 arch/x86/kernel/smp.c:243
 asm_sysvec_call_function_single+0x1b/0x20 arch/x86/include/asm/idtentry.h:657
RIP: 0010:__do_softirq+0x193/0x908 kernel/softirq.c:557
Code: 89 5c 24 08 48 89 44 24 18 48 c7 c7 60 1a cb 89 e8 d2 2d da ff
65 66 c7 05 f8 92 63 76 00 00 e8 b3 07 e1 f7 fb b8 ff ff ff ff <48> c7
c3 c0 a0 a0 8b 41 0f bc c5 41 89 c7 41 83 c7 01 0f 85 ad 00
RSP: 0018:ffffc90000007f80 EFLAGS: 00000206
RAX: 00000000ffffffff RBX: ffff88810a591d80 RCX: 1ffffffff20d7bd6
RDX: 0000000000000000 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc9000386f648 R08: 0000000000000001 R09: fffffbfff20d0135
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu kernel/softirq.c:650 [inline]
 irq_exit_rcu+0xf2/0x130 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:lock_is_held_type+0xff/0x140 kernel/locking/lockdep.c:5713
Code: 00 00 b8 ff ff ff ff 65 0f c1 05 14 57 88 76 83 f8 01 75 29 9c
58 f6 c4 02 75 3d 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89
e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ed eb b9 0f 0b 48
RSP: 0018:ffffc9000386f6f0 EFLAGS: 00000296
RAX: 0000000000000046 RBX: 0000000000000004 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffffff8bd839e0 R08: fffffbfff1b7619a R09: fffffbfff1b7619b
R10: 0000000000000001 R11: 000000000008a07a R12: ffff88810a591d80
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88810a592858
 lock_is_held include/linux/lockdep.h:279 [inline]
 rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:125
 trace_lock_release include/trace/events/lock.h:69 [inline]
 lock_release+0x524/0x6d0 kernel/locking/lockdep.c:5676
 rcu_lock_release include/linux/rcupdate.h:274 [inline]
 rcu_read_unlock include/linux/rcupdate.h:728 [inline]
 mapping_get_entry mm/filemap.c:1902 [inline]
 __filemap_get_folio+0x345/0x1210 mm/filemap.c:1946
 pagecache_get_page+0x2e/0x290 mm/folio-compat.c:126
 ext4_da_write_begin+0x3f9/0xaf0 fs/ext4/inode.c:2977
 generic_perform_write+0x240/0x570 mm/filemap.c:3779
 ext4_buffered_write_iter+0x11d/0x2e0 fs/ext4/file.c:270
 ext4_file_write_iter+0x448/0x14e0 fs/ext4/file.c:679
 call_write_iter include/linux/fs.h:2058 [inline]
 new_sync_write+0x393/0x570 fs/read_write.c:504
 vfs_write+0x7c4/0xab0 fs/read_write.c:591
 ksys_write+0x127/0x250 fs/read_write.c:644
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6ecf2101cd
Code: c2 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31
c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b
3c 24 48 89 c2 e8 f7 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f6eca9fc590 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f6ec00243f0 RCX: 00007f6ecf2101cd
RDX: 0000000000000310 RSI: 00007f6ec00243f0 RDI: 0000000000000009
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f6ec0024170
R13: 00007f6eca9fc5b0 R14: 000055b91e051440 R15: 0000000000000310
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0: 00 00                add    %al,(%rax)
   2: 00 00                add    %al,(%rax)
   4: 00 00                add    %al,(%rax)
   6: 9c                    pushfq
   7: 5d                    pop    %rbp
   8: fa                    cli
   9: f7 c5 00 02 00 00    test   $0x200,%ebp
   f: 0f 85 12 03 00 00    jne    0x327
  15: 31 f6                xor    %esi,%esi
  17: 4c 89 ff              mov    %r15,%rdi
  1a: e8 e6 ad fe ff        callq  0xfffeae05
  1f: 49 8d 87 58 0d 00 00 lea    0xd58(%r15),%rax
  26: 48 89 c2              mov    %rax,%rdx
* 29: 48 89 44 24 08        mov    %rax,0x8(%rsp) <-- trapping instruction
  2e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
  35: fc ff df
  38: 48 c1 ea 03          shr    $0x3,%rdx
  3c: 48                    rex.W
  3d: 89                    .byte 0x89
  3e: 6c                    insb   (%dx),%es:(%rdi)

-- 
Thanks and Regards,

Dipanjan

Download attachment "repro.syz" of type "application/octet-stream" (366 bytes)

View attachment "repro.c" of type "text/x-csrc" (4556 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ