| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6840e520.050a0220.2461cf.000c.GAE@google.com>
Date: Wed, 04 Jun 2025 17:30:24 -0700
From: syzbot <syzbot+7f46fdd7673b5fec63ac@...kaller.appspotmail.com>
To: axboe@...nel.dk, josef@...icpanda.com, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org, nbd@...er.debian.org,
syzkaller-bugs@...glegroups.com
Subject: [syzbot] [nbd?] possible deadlock in nbd_ioctl
Hello,
syzbot found the following issue on:
HEAD commit: 4cb6c8af8591 selftests/filesystems: Fix build of anon_inod..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=101dbed4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4db24c5f80c69f73
dashboard link: https://syzkaller.appspot.com/bug?extid=7f46fdd7673b5fec63ac
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-4cb6c8af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/03a3203c4877/vmlinux-4cb6c8af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5da3a32140dd/bzImage-4cb6c8af.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f46fdd7673b5fec63ac@...kaller.appspotmail.com
��z...j.�z/w.$��(>��T...�|�h����3..��.7�`(*����x�k"�G.zR����Ao.O�ź�.:m@dc�~້��]�F.#.���<���H�K�S�_. }� �&4�ҽ�:�.B�@Y�a.��H{�I��ȃ�1�/�t�683�-�H�Ӈ՟O�6d��g.;��z���G�X�4W.�6B�g���\�"\.�V[1�C�.� c��[H.+���Q�K��l�,NJ��Tt0....�.��O3 �~�7�T7�i.�[ 234.907471][T11482]
��.�BJ*.M�<.O[ 234.908368][T11482] ======================================================
�b�4.�2.٬.�x/��[ 234.911186][T11482] WARNING: possible circular locking dependency detected
ϭ�:+��މ��3l"0�[ 234.913886][T11482] 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 Not tainted
Z��d�.O#��̵G<'�[ 234.917367][T11482] ------------------------------------------------------
-�P�%�p���m.xB?=[ 234.921230][T11482] syz.2.1726/11482 is trying to acquire lock:
̞.�K�.�;.���m$[ 234.947847][T11482] nbd_config_put+0x31/0x750 drivers/block/nbd.c:1423
8.������I@�;��͊[ 234.950419][T11482] nbd_release+0xb7/0x190 drivers/block/nbd.c:1735
rmDD"�����eр>w.[ 234.952630][T11482] blkdev_put_whole+0xad/0xf0 block/bdev.c:721
��j&./.oc���i�!i[ 234.954759][T11482] bdev_release+0x47e/0x6d0 block/bdev.c:1144
�P_yQ2�3@��..S�[ 234.956801][T11482] blkdev_release+0x15/0x20 block/fops.c:684
v��yAe].Q3�L.��p[ 234.958866][T11482] __fput+0x402/0xb70 fs/file_table.c:465
9^�:��.l.��..�~�[ 234.960790][T11482] fput_close_sync+0x118/0x260 fs/file_table.c:570
X����z.��~M.��&[ 234.963382][T11482] __do_sys_close fs/open.c:1589 [inline]
X����z.��~M.��&[ 234.963382][T11482] __se_sys_close fs/open.c:1574 [inline]
X����z.��~M.��&[ 234.963382][T11482] __x64_sys_close+0x8b/0x120 fs/open.c:1574
H~�h� !�c�N'�[ 234.965568][T11482] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
H~�h� !�c�N'�[ 234.965568][T11482] do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
оZ8í �a���πL[ 234.967679][T11482] entry_SYSCALL_64_after_hwframe+0x77/0x7f
R�.%�(.ޅ��]��Z[ 234.970149][T11482]
G��.Ӆ�..Ԗ��.j�[ 234.973111][T11482] __mutex_lock_common kernel/locking/mutex.c:601 [inline]
G��.Ӆ�..Ԗ��.j�[ 234.973111][T11482] __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
���3��D..��C9.�[ 234.975247][T11482] __del_gendisk+0xf5/0xbd0 block/genhd.c:706
���R8�.M�2�xZ.��[ 234.977457][T11482] del_gendisk+0x13e/0x1e0 block/genhd.c:819
b.��%�#.R��|f���[ 234.979465][T11482] loop_remove drivers/block/loop.c:2081 [inline]
b.��%�#.R��|f���[ 234.979465][T11482] loop_control_remove drivers/block/loop.c:2140 [inline]
b.��%�#.R��|f���[ 234.979465][T11482] loop_control_ioctl+0x4eb/0x630 drivers/block/loop.c:2178
�.�䷓�l_I��\G_b[ 234.981839][T11482] __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
�.�䷓�l_I��\G_b[ 234.981839][T11482] __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
�.�䷓�l_I��\G_b[ 234.981839][T11482] __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
�h�Vi��?�NfgV�Bp[ 234.984163][T11482] do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
�h�Vi��?�NfgV�Bp[ 234.984163][T11482] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
I+�..�h9.�?.�� [ 234.986400][T11482] do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
�Mv�s����>�.'�p�[ 234.988602][T11482] entry_SYSENTER_compat_after_hwframe+0x84/0x8e
MX�sQ.�.�`��l�[ 234.991286][T11482]
q�x��I��.�z4Rg[�[ 234.994371][T11482] check_prev_add kernel/locking/lockdep.c:3168 [inline]
q�x��I��.�z4Rg[�[ 234.994371][T11482] check_prevs_add kernel/locking/lockdep.c:3287 [inline]
q�x��I��.�z4Rg[�[ 234.994371][T11482] validate_chain kernel/locking/lockdep.c:3911 [inline]
q�x��I��.�z4Rg[�[ 234.994371][T11482] __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
Ҫa_�^.�AHz��z/[ 234.996519][T11482] lock_acquire kernel/locking/lockdep.c:5871 [inline]
Ҫa_�^.�AHz��z/[ 234.996519][T11482] lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
f�2=ah��.eRW����[ 234.998553][T11482] down_write+0x92/0x200 kernel/locking/rwsem.c:1577
5:
&�6�k,c����[ 235.000504][T11482] blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
�#.��VIVH...F���[ 235.002954][T11482] nbd_start_device+0x172/0xcd0 drivers/block/nbd.c:1476
`���.��
�W.�.[ 235.005099][T11482] nbd_start_device_ioctl drivers/block/nbd.c:1527 [inline]
�W.�.[ 235.005099][T11482] __nbd_ioctl drivers/block/nbd.c:1602 [inline]
�W.�.[ 235.005099][T11482] nbd_ioctl+0x219/0xda0 drivers/block/nbd.c:1642
Vo&W��l����Iir��[ 235.007199][T11482] compat_blkdev_ioctl+0x2ee/0x7a0 block/ioctl.c:760
..�����d�c���.�[ 235.009416][T11482] __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
..�����d�c���.�[ 235.009416][T11482] __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
..�����d�c���.�[ 235.009416][T11482] __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
..�2�-.����e�d.[ 235.011817][T11482] do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
..�2�-.����e�d.[ 235.011817][T11482] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
��D�*.��.=�8[ 235.014044][T11482] do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
��;�.�?�w����1).[ 235.016183][T11482] entry_SYSENTER_compat_after_hwframe+0x84/0x8e
n�߱[�uy�S W��q�[ 235.018768][T11482]
��5�'Zb�ʌ��0y�m[ 235.022468][T11482] Chain exists of:
:��}kk��.. |�V�[ 235.027258][T11482] Possible unsafe locking scenario:
ג;�%�+�.l.�.;�H[ 235.030064][T11482] CPU0 CPU1
���#��.o�F�.��J[ 235.032316][T11482] ---- ----
�;��.
!Yg.��e.4[ 235.034467][T11482] lock(&nbd->config_lock);
���.<;�ύ����#~�[ 235.036367][T11482] lock(&disk->open_mutex);
���Op�L�}q�(Q�.�[ 235.039016][T11482] lock(&nbd->config_lock);
;��gj<��..�.N%��[ 235.041733][T11482] lock(&set->update_nr_hwq_lock);
Q�=@�~NHN.߄0�4.[ 235.043812][T11482]
�.� ����gū�.��[ 235.046785][T11482] 1 lock held by syz.2.1726/11482:
G�,S0.l�,��Ðwm"[ 235.048846][T11482] #0: ffff888022f0b230 (&nbd->config_lock){+.+.}-{4:4}, at: nbd_ioctl+0x150/0xda0 drivers/block/nbd.c:1635
;�.���o����..涠[ 235.052525][T11482]
`��H�7��v��.���I�j϶U�(.������[ 235.055507][T11482] CPU: 0 UID: 0 PID: 11482 Comm: syz.2.1726 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)
c�ޗ�Y�m�.O.[�A�[ 235.055528][T11482] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
�Yɜ�0π`��;�W�.[ 235.055536][T11482] Call Trace:
�d����!�xX~# ���[ 235.055541][T11482] <TASK>
�.�;..�����`VH�[ 235.055547][T11482] __dump_stack lib/dump_stack.c:94 [inline]
�.�;..�����`VH�[ 235.055547][T11482] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
dU����+��....*�[ 235.055563][T11482] print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2046
us����^[6;מ�9[<[ 235.055603][T11482] check_prev_add kernel/locking/lockdep.c:3168 [inline]
us����^[6;מ�9[<[ 235.055603][T11482] check_prevs_add kernel/locking/lockdep.c:3287 [inline]
us����^[6;מ�9[<[ 235.055603][T11482] validate_chain kernel/locking/lockdep.c:3911 [inline]
us����^[6;מ�9[<[ 235.055603][T11482] __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
�����*I4.1�=..��[ 235.055617][T11482] lock_acquire kernel/locking/lockdep.c:5871 [inline]
�����*I4.1�=..��[ 235.055617][T11482] lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
E0�A��ϝ���Pn��][ 235.055645][T11482] ? __pfx___might_resched+0x10/0x10 kernel/sched/core.c:5899
�-�Y�����͌��@z=[ 235.055677][T11482] down_write+0x92/0x200 kernel/locking/rwsem.c:1577
�.����8.���ސ.�[ 235.055690][T11482] ? blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
�[w��+����ؿ�bMU[ 235.055718][T11482] ? __mutex_lock_common kernel/locking/mutex.c:611 [inline]
�[w��+����ؿ�bMU[ 235.055718][T11482] ? __mutex_lock+0x1ca/0xb90 kernel/locking/mutex.c:746
l�.��.�e*�4x�. .[ 235.055752][T11482] blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
���8�X��p�|&�d_[ 235.055767][T11482] ? __pfx___mutex_lock+0x10/0x10 usercopy_64.c:-1
.ʚֵ����.�->�E�[ 235.055797][T11482] nbd_start_device+0x172/0xcd0 drivers/block/nbd.c:1476
�k]�..Pת� _pv��[ 235.055814][T11482] ? bpf_lsm_capable+0x9/0x10 include/linux/lsm_hook_defs.h:44
S.��R..�.�^�fx,^[ 235.055843][T11482] ? __pfx_nbd_ioctl+0x10/0x10 drivers/block/nbd.c:828
�}m.�V�5p/ӯ��Y[ 235.055862][T11482] ? find_held_lock+0x2b/0x80 kernel/locking/lockdep.c:5353
N�ǐ�.S�...9i`�P[ 235.055891][T11482] compat_blkdev_ioctl+0x2ee/0x7a0 block/ioctl.c:760
..�!�(�m[,|"���F[ 235.055904][T11482] ? __pfx_compat_blkdev_ioctl+0x10/0x10 block/ioctl.c:702
��w]�e�4w�~�.�h[ 235.055931][T11482] __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
��w]�e�4w�~�.�h[ 235.055931][T11482] __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
��w]�e�4w�~�.�h[ 235.055931][T11482] __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
���2.9.����b�ڬ.[ 235.055950][T11482] do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
���2.9.����b�ڬ.[ 235.055950][T11482] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
@�ׯ�?..��T.���[ 235.055964][T11482] do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
�R���>K���yZ+bt[ 235.055977][T11482] entry_SYSENTER_compat_after_hwframe+0x84/0x8e
�ڞ.W��-bQ.�Պ [ 235.055992][T11482] RIP: 0023:0xf7fc5579
~�f�i..�hv�^��|/[ 235.056012][T11482] RSP: 002b:00000000f50e655c EFLAGS: 00000296 ORIG_RAX: 0000000000000036
�x..�$,Y��� 㣖[ 235.056023][T11482] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ab03
.�A��ɴ�V�G�.HL[ 235.056030][T11482] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
SMK..�.�*S.u���[ 235.056036][T11482] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
L��ݭ�8*�1m&��Q�[ 235.056049][T11482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
�pϿ.5��=�X����.�.
�.:==�B>.];�oF����.j�+�X��s�m�ogI�OP.瀎���.p�=w���.�.�姩.!z.���.[.ȭ�ׂ.G$�[..�niUJ�.\�B.ǯJ���.z�.�䐲�G��Y.E�]Apaxe.�.�&1].�/h�KDRkZ*��E�k7�ܪ.c�.,.�k*�u?'..��rϓkV.}'r�e��SJ�ަkpᄔ����.�R��..�.��.$�H$��..ā<W�G@.�?^�'��!�a�)�.鈏}�"�ܩ�X�.xɉR� G�B;�.���j.�a:N���!�.&���8���B��r��S��|'V~..z04`e���.��u*.�wB�J.�ѻQ͇b���H1.2��$��.saئ.r��.�.�q�{SαE��M.�.<� �?.��N��1�j.ҳձ�.D�%�K�K�.�_�рmLؒ�Yͼ_�QM��㇡�;\��*Pt��3�+��.|�.���Sn��.l�?�(�CG.���v_0.��ؔ��٧x��.}"�-R�!��O.��.k../�S��.��w�.�&��]-z��~.�.�L.�/'� A�T�H%���
�;.gz&(�M=.c�.aD�=�i���Y�G�Cӫ�[>`���{������^���.�D.Y���� ��ۆIdmy/kQm����ң�9���t��.��..F�Vܐ|�A\`K�G���J��.�.%�.��R.D.h)��T"/0�K.�h�B�.��.��&�ƈ��J�+a
z9�Y2��z���� ���...dX�[E�
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
E�<�r��V.9 'Nu�..xq��=x�.��m��Tlz�=�.��.cpz�>�J�i�VAoU�m4.T�[�-�>`�.�g-.;��3e-��4$�녋��.��6#<�...[ 235.199512][T11481] netlink: 4 bytes leftover after parsing attributes in process `syz.6.1727'.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists