lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANikGpePfASOV5YnRf6tEUv2=aMTYxHkbXXG5NvJF=Vs0HtNuQ@mail.gmail.com>
Date: Sat, 24 Aug 2024 20:20:17 -0700
From: Juefei Pu <juefei.pu@...il.ucr.edu>
To: gregkh@...uxfoundation.org, jirislaby@...nel.org, 
	linux-kernel@...r.kernel.org, linux-serial@...r.kernel.org
Subject: BUG: INFO: task hung in tty_release_struct

Hello,
We found the following issue using syzkaller on Linux v6.10.
In `tty_release_struct` the task hung when trying to acquire the lock
`tty_mutex`

Although Syzbot has found a similar bug
(https://syzkaller.appspot.com/bug?id=032fedbb29b936d9b3f5b03409cee10ad9caee9b)
, the bug we discovered can be triggered on Linux v6.10. Meanwhile,
Syzbot failed to trigger the crash for 617 days. Thus, it looks like
this is a new bug.

Unfortunately, the syzkaller failed to generate a reproducer.
But at least we have the report:

INFO: task syz.0.5537:72598 blocked for more than 143 seconds.
      Not tainted 6.10.0 #13
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.5537      state:D stack:24680 pid:72598 tgid:72598
ppid:66970  flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5407 [inline]
 __schedule+0xf4a/0x15e0 kernel/sched/core.c:6748
 __schedule_loop kernel/sched/core.c:6825 [inline]
 schedule+0x143/0x310 kernel/sched/core.c:6840
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6897
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x69a/0xd50 kernel/locking/mutex.c:752
 tty_release_struct+0xad/0xd0 drivers/tty/tty_io.c:1706
 tty_release+0xb66/0xd70 drivers/tty/tty_io.c:1867
 __fput+0x24a/0x8a0 fs/file_table.c:422
 task_work_run+0x239/0x2f0 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x12d/0x280 kernel/entry/common.c:218
 do_syscall_64+0x8a/0x150 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7fd9a67809b9
RSP: 002b:00007ffecb0e3b18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fd9a6947a80 RCX: 00007fd9a67809b9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fd9a6947a80 R08: 0000000000000006 R09: 00007ffecb0e3dff
R10: 00000000003ffcb0 R11: 0000000000000246 R12: 00000000002241f4
R13: 00007ffecb0e3c10 R14: 00007ffecb0e3c30 R15: ffffffffffffffff
 </TASK>
INFO: task syz.0.5537:72599 blocked for more than 143 seconds.
      Not tainted 6.10.0 #13
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.5537      state:D stack:26536 pid:72599 tgid:72598
ppid:66970  flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5407 [inline]
 __schedule+0xf4a/0x15e0 kernel/sched/core.c:6748
 __schedule_loop kernel/sched/core.c:6825 [inline]
 schedule+0x143/0x310 kernel/sched/core.c:6840
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6897
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x69a/0xd50 kernel/locking/mutex.c:752
 tty_release_struct+0xad/0xd0 drivers/tty/tty_io.c:1706
 tty_release+0xb66/0xd70 drivers/tty/tty_io.c:1867
 __fput+0x24a/0x8a0 fs/file_table.c:422
 task_work_run+0x239/0x2f0 kernel/task_work.c:180
 get_signal+0x15d5/0x1730 kernel/signal.c:2681
 arch_do_signal_or_restart+0x92/0x7f0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x95/0x280 kernel/entry/common.c:218
 do_syscall_64+0x8a/0x150 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7fd9a67809b9
RSP: 002b:00007fd9a7605038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: 000000000017c800 RBX: 00007fd9a6945f80 RCX: 00007fd9a67809b9
RDX: 00000000fffffde3 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007fd9a67f4f70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd9a6945f80 R15: 00007ffecb0e39b8
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/25:
 #0: ffffffff8db32fe0 (rcu_read_lock){....}-{1:2}, at:
rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #0: ffffffff8db32fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock
include/linux/rcupdate.h:781 [inline]
 #0: ffffffff8db32fe0 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x54/0x2d0 kernel/locking/lockdep.c:6614
1 lock held by in:imklog/7643:
2 locks held by agetty/38872:
 #0: ffff88801b0ac0a0 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffff88801b0ac130 (&tty->atomic_write_lock){+.+.}-{3:3}, at:
tty_write_lock drivers/tty/tty_io.c:954 [inline]
 #1: ffff88801b0ac130 (&tty->atomic_write_lock){+.+.}-{3:3}, at:
iterate_tty_write drivers/tty/tty_io.c:973 [inline]
 #1: ffff88801b0ac130 (&tty->atomic_write_lock){+.+.}-{3:3}, at:
file_tty_write+0x1e8/0xa00 drivers/tty/tty_io.c:1096
2 locks held by kworker/u4:22/60168:
2 locks held by kworker/u4:23/60169:
 #0: ffff888018d66948 ((wq_completion)iou_exit){+.+.}-{0:0}, at:
process_one_work kernel/workqueue.c:3223 [inline]
 #0: ffff888018d66948 ((wq_completion)iou_exit){+.+.}-{0:0}, at:
process_scheduled_works+0x8fb/0x1410 kernel/workqueue.c:3329
 #1: ffffc9000971fd20
((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work
kernel/workqueue.c:3224 [inline]
 #1: ffffc9000971fd20
((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at:
process_scheduled_works+0x922/0x1410 kernel/workqueue.c:3329
2 locks held by kworker/u4:25/60173:
 #0: ffff888018d66948 ((wq_completion)iou_exit){+.+.}-{0:0}, at:
process_one_work kernel/workqueue.c:3223 [inline]
 #0: ffff888018d66948 ((wq_completion)iou_exit){+.+.}-{0:0}, at:
process_scheduled_works+0x8fb/0x1410 kernel/workqueue.c:3329
 #1: ffffc9000973fd20
((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work
kernel/workqueue.c:3224 [inline]
 #1: ffffc9000973fd20
((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at:
process_scheduled_works+0x922/0x1410 kernel/workqueue.c:3329
1 lock held by syz.0.4591/61848:
1 lock held by syz.1.4603/61926:
2 locks held by agetty/63190:
 #0: ffff88803c8260a0 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90007a8b2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0x712/0x1e80 drivers/tty/n_tty.c:2211
1 lock held by syz.1.4836/64293:
1 lock held by syz.1.5065/66967:
3 locks held by kworker/0:4/67207:
 #0: ffff88801307a948 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work kernel/workqueue.c:3223 [inline]
 #0: ffff88801307a948 ((wq_completion)events){+.+.}-{0:0}, at:
process_scheduled_works+0x8fb/0x1410 kernel/workqueue.c:3329
 #1: ffffc90004b8fd20
((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at:
process_one_work kernel/workqueue.c:3224 [inline]
 #1: ffffc90004b8fd20
((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at:
process_scheduled_works+0x922/0x1410 kernel/workqueue.c:3329
 #2: ffff88802f4a0240 (&data->fib_lock){+.+.}-{3:3}, at:
nsim_fib_event_work+0x2de/0x4050 drivers/net/netdevsim/fib.c:1489
2 locks held by syz.1.5398/70778:
2 locks held by syz.1.5488/71784:
1 lock held by syz.0.5537/72598:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_release_struct+0xad/0xd0 drivers/tty/tty_io.c:1706
1 lock held by syz.0.5537/72599:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_release_struct+0xad/0xd0 drivers/tty/tty_io.c:1706
4 locks held by syz.1.5536/72606:
1 lock held by syz.0.5541/73119:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.1.5542/73125:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5543/73605:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
ptmx_open+0xc7/0x2c0 drivers/tty/pty.c:823
1 lock held by syz.1.5544/73619:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5545/74100:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
ptmx_open+0xc7/0x2c0 drivers/tty/pty.c:823
1 lock held by syz.1.5547/74121:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
ptmx_open+0xc7/0x2c0 drivers/tty/pty.c:823
1 lock held by syz.1.5547/74122:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.1.5547/74123:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.1.5547/74124:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5551/74612:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5551/74617:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5551/74621:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5551/74625:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5551/74626:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at: tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
tty_open+0x232/0xe20 drivers/tty/tty_io.c:2135
1 lock held by syz.0.5553/75389:
 #0: ffffffff8e2aa648 (tty_mutex){+.+.}-{3:3}, at:
ptmx_open+0xc7/0x2c0 drivers/tty/pty.c:823

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 25 Comm: khungtaskd Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x23d/0x360 lib/dump_stack.c:114
 nmi_cpu_backtrace+0x451/0x480 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x181/0x2d0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
 watchdog+0xdbd/0xe00 kernel/hung_task.c:379
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ