lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun, 30 Oct 2022 17:50:59 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     miklos@...redi.hu, linux-fsdevel@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org
Subject: INFO: task hung in fuse_mount_remove

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1tgzWXmjFknwTTo-Y7gSi48OdM7kyVrxb/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

INFO: task syz-executor.0:6566 blocked for more than 143 seconds.
      Not tainted 5.15.0-rc5 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0  state:D stack:10408 pid: 6566 ppid:     1 flags:0x00004004
Call Trace:
 __schedule+0x4a1/0x1720
 schedule+0x36/0xe0
 rwsem_down_write_slowpath+0x322/0x7a0
 fuse_mount_remove+0x26/0x90
 fuse_sb_destroy+0x23/0x50
 fuse_kill_sb_anon+0x11/0x20
 deactivate_locked_super+0x42/0x90
 deactivate_super+0x9d/0xb0
 cleanup_mnt+0x153/0x1d0
 task_work_run+0x86/0xe0
 exit_to_user_mode_prepare+0x25e/0x280
 syscall_exit_to_user_mode+0x19/0x60
 do_syscall_64+0x40/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46aba7
RSP: 002b:00007ffdca8286e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000046aba7
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffdca8287a0
RBP: 00007ffdca8298a0 R08: 0000000002d3ddd3 R09: 000000000000000c
R10: 00000000fffffffb R11: 0000000000000246 R12: 0000000002d3dd00
R13: 0000000000000002 R14: 0000000000000032 R15: 0000000000000bb8

Showing all locks held in the system:
1 lock held by khungtaskd/29:
 #0: ffffffff8641dee0 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x15/0x17a
1 lock held by in:imklog/6175:
 #0: ffff888013fda6f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x92/0xa0
2 locks held by agetty/6224:
 #0: ffff888013f03098 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x20/0x50
 #1: ffffc900008472e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0x203/0x930
2 locks held by agetty/6232:
 #0: ffff88810ac7d898 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x20/0x50
 #1: ffffc9000084b2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0x203/0x930
2 locks held by syz-executor.0/6566:
 #0: ffff88802dbeb0e0 (&type->s_umount_key#53){+.+.}-{3:3}, at:
deactivate_super+0x95/0xb0
 #1: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at: fuse_mount_remove+0x26/0x90
1 lock held by syz-executor.0/1879:
 #0: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at:
fuse_dev_do_write+0x532/0x14f0

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Call Trace:
 dump_stack_lvl+0xcd/0x134
 nmi_cpu_backtrace.cold.8+0xf3/0x118
 nmi_trigger_cpumask_backtrace+0x18f/0x1c0
 watchdog+0x9a0/0xb10
 kthread+0x1a6/0x1e0
 ret_from_fork+0x1f/0x30
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 10409 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:perf_trace_lock_acquire+0x156/0x1a0
Code: 00 53 e8 5d 47 1d 00 5e 5f 48 8b 45 d0 65 48 33 04 25 28 00 00
00 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 03 <48> 85
c0 0f 85 1c ff ff ff eb d4 41 bd 18 00 07 00 41 bc 06 00 00
RSP: 0000:ffffc90002d97c80 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffe8ffffc42d38 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90002d97cd8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: 000000000000000e
R13: 00000000000f0018 R14: ffffffff86338f00 R15: ffff88810ae79b28
FS:  00007f9a23fd1700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000110c96000 CR4: 00000000003526e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire+0x184/0x330
 __might_fault+0x92/0xc0
 copy_fpstate_to_sigframe+0x5a8/0x680
 get_sigframe.isra.16+0xb1/0x1b0
 arch_do_signal_or_restart+0x53a/0x870
 exit_to_user_mode_prepare+0x138/0x280
 irqentry_exit_to_user_mode+0x5/0x40
 exc_page_fault+0x4a4/0x1130
 asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x4064fb
Code: c7 f0 fe ff ff e8 65 06 02 00 85 c0 0f 84 95 01 00 00 64 f0 83
2c 25 b8 ff ff ff 01 48 8b 54 24 18 48 8b 44 24 28 4c 8b 42 78 <8b> 00
49 83 f8 ff 89 82 80 00 00 00 0f 84 13 01 00 00 48 8b 44 24
RSP: 002b:00007f9a23fd0c40 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 000000000119bfa0
RDX: 000000000119bfa0 RSI: 0000000000000001 RDI: 00007f9a23fd15f0
RBP: 000000000119bfa8 R08: 0000000000000000 R09: 000000000119bfa8
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac
R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007ffdca829770
----------------
Code disassembly (best guess):
   0: 00 53 e8              add    %dl,-0x18(%rbx)
   3: 5d                    pop    %rbp
   4: 47 1d 00 5e 5f 48    rex.RXB sbb $0x485f5e00,%eax
   a: 8b 45 d0              mov    -0x30(%rbp),%eax
   d: 65 48 33 04 25 28 00 xor    %gs:0x28,%rax
  14: 00 00
  16: 75 4a                jne    0x62
  18: 48 8d 65 d8          lea    -0x28(%rbp),%rsp
  1c: 5b                    pop    %rbx
  1d: 41 5c                pop    %r12
  1f: 41 5d                pop    %r13
  21: 41 5e                pop    %r14
  23: 41 5f                pop    %r15
  25: 5d                    pop    %rbp
  26: c3                    retq
  27: 48 8b 03              mov    (%rbx),%rax
* 2a: 48 85 c0              test   %rax,%rax <-- trapping instruction
  2d: 0f 85 1c ff ff ff    jne    0xffffff4f
  33: eb d4                jmp    0x9
  35: 41 bd 18 00 07 00    mov    $0x70018,%r13d
  3b: 41                    rex.B
  3c: bc                    .byte 0xbc
  3d: 06                    (bad)

Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ