| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66f1c98e.050a0220.3eed3.0018.GAE@google.com>
Date: Mon, 23 Sep 2024 13:03:26 -0700
From: syzbot <syzbot+50499e163bfa302dfe7b@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, johannes@...solutions.net,
krzk@...nel.org, kuba@...nel.org, linux-kernel@...r.kernel.org,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com,
penguin-kernel@...ove.sakura.ne.jp, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] INFO: task hung in rfkill_global_led_trigger_worker
(3)
syzbot has found a reproducer for the following issue on:
HEAD commit: de5cb0dcb74c Merge branch 'address-masking'
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee0c80580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f99f4d8e33bb9c3
dashboard link: https://syzkaller.appspot.com/bug?extid=50499e163bfa302dfe7b
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fa1e07980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e1a107980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-de5cb0dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2b69b8a02541/vmlinux-de5cb0dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d8b6c7690df/zImage-de5cb0dc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50499e163bfa302dfe7b@...kaller.appspotmail.com
INFO: task kworker/1:3:111 blocked for more than 450 seconds.
Not tainted 6.11.0-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:3 state:D stack:0 pid:111 tgid:111 ppid:2 flags:0x00000000
Workqueue: events rfkill_global_led_trigger_worker
Call trace:
[<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline])
[<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766)
r10:82c18205 r9:00000000 r8:827ec108 r7:00000002 r6:df9a1e74 r5:834d9800
r4:834d9800
[<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823)
r5:834d9800 r4:827ec104
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c18205 r9:834d9800 r8:01800000 r7:ddde40c0 r6:82c18200 r5:82931dd4
r4:827ec104
[<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<819b8a08>] (mutex_lock) from [<818bbfb8>] (rfkill_global_led_trigger_worker+0x1c/0xc0 net/rfkill/core.c:182)
[<818bbf9c>] (rfkill_global_led_trigger_worker) from [<80266148>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3229)
r5:82931dd4 r4:8346f880
[<80265f94>] (process_one_work) from [<80266d2c>] (process_scheduled_works kernel/workqueue.c:3310 [inline])
[<80265f94>] (process_one_work) from [<80266d2c>] (worker_thread+0x1ec/0x3bc kernel/workqueue.c:3391)
r10:834d9800 r9:8346f8ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:8346f880
[<80266b40>] (worker_thread) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389)
r10:00000000 r9:df921e78 r8:82f39c00 r7:8346f880 r6:80266b40 r5:834d9800
r4:8368ab80
[<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xdf9a1fb0 to 0xdf9a1ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:8368ab80
INFO: task kworker/1:0:3121 blocked for more than 450 seconds.
Not tainted 6.11.0-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:0 state:D stack:0 pid:3121 tgid:3121 ppid:2 flags:0x00000000
Workqueue: events rfkill_sync_work
Call trace:
[<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline])
[<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766)
r10:82c18205 r9:00000000 r8:827ec108 r7:00000002 r6:ec251e74 r5:83e02400
r4:83e02400
[<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823)
r5:83e02400 r4:827ec104
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c18205 r9:83e02400 r8:01800000 r7:ddde40c0 r6:82c18200 r5:8444e684
r4:8444e684
[<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<819b8a08>] (mutex_lock) from [<818bd800>] (rfkill_sync_work+0x1c/0x5c net/rfkill/core.c:1055)
[<818bd7e4>] (rfkill_sync_work) from [<80266148>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3229)
r5:8444e684 r4:8467cc00
[<80265f94>] (process_one_work) from [<80266d2c>] (process_scheduled_works kernel/workqueue.c:3310 [inline])
[<80265f94>] (process_one_work) from [<80266d2c>] (worker_thread+0x1ec/0x3bc kernel/workqueue.c:3391)
r10:83e02400 r9:8467cc2c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:8467cc00
[<80266b40>] (worker_thread) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389)
r10:00000000 r9:df931e78 r8:84496980 r7:8467cc00 r6:80266b40 r5:83e02400
r4:84496ac0
[<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xec251fb0 to 0xec251ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:84496ac0
INFO: task syz-executor355:3616 blocked for more than 450 seconds.
Not tainted 6.11.0-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor355 state:D stack:0 pid:3616 tgid:3616 ppid:3127 flags:0x00000005
Call trace:
[<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline])
[<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766)
r10:81c7ff84 r9:00000000 r8:83efc860 r7:00000002 r6:dfc05de4 r5:83701800
r4:83701800
[<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823)
r5:83701800 r4:83efc85c
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:81c7ff84 r9:200000c0 r8:00000000 r7:83701800 r6:00000001 r5:83efc85c
r4:83efc800
[<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<819b8a08>] (mutex_lock) from [<819016f8>] (device_lock include/linux/device.h:1014 [inline])
[<819b8a08>] (mutex_lock) from [<819016f8>] (nfc_dev_down+0x20/0xc8 net/nfc/core.c:143)
[<819016d8>] (nfc_dev_down) from [<819017cc>] (nfc_rfkill_set_block+0x2c/0x68 net/nfc/core.c:179)
r7:83701800 r6:00000001 r5:83efc800 r4:00000001
[<819017a0>] (nfc_rfkill_set_block) from [<818bcda0>] (rfkill_set_block+0x90/0x144 net/rfkill/core.c:346)
r5:00000001 r4:83efe800
[<818bcd10>] (rfkill_set_block) from [<818bd358>] (rfkill_fop_write+0x1a8/0x258 net/rfkill/core.c:1301)
r7:83701800 r6:83efe800 r5:827ec118 r4:00000008
[<818bd1b0>] (rfkill_fop_write) from [<805168b8>] (vfs_write+0xac/0x44c fs/read_write.c:681)
r6:00000008 r5:84667780 r4:818bd1b0
[<8051680c>] (vfs_write) from [<80516e28>] (ksys_write+0xc4/0xf8 fs/read_write.c:736)
r10:00000004 r9:83701800 r8:8020029c r7:00000008 r6:200000c0 r5:84667780
r4:84667780
[<80516d64>] (ksys_write) from [<80516e6c>] (__do_sys_write fs/read_write.c:748 [inline])
[<80516d64>] (ksys_write) from [<80516e6c>] (sys_write+0x10/0x14 fs/read_write.c:745)
r7:00000004 r6:7edc3160 r5:00000000 r4:ffffffff
[<80516e5c>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfc05fa8 to 0xdfc05ff0)
5fa0: ffffffff 00000000 00000004 200000c0 00000008 00000000
5fc0: ffffffff 00000000 7edc3160 00000004 7e85fc6c 00002710 000f4240 00000000
5fe0: 7e85fc58 7e85fc48 000106d8 0002ea30
INFO: task syz-executor355:3617 blocked for more than 450 seconds.
Not tainted 6.11.0-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor355 state:D stack:0 pid:3617 tgid:3617 ppid:3125 flags:0x00000004
Call trace:
[<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline])
[<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766)
r10:000000f8 r9:00000000 r8:827ec108 r7:00000002 r6:dfc25e04 r5:83702400
r4:83702400
[<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823)
r5:83702400 r4:827ec104
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:000000f8 r9:00000000 r8:82cad790 r7:83f7b000 r6:83f7b024 r5:83efea40
r4:83efe800
[<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<819b8a08>] (mutex_lock) from [<818bca90>] (rfkill_unregister+0x5c/0xc4 net/rfkill/core.c:1145)
[<818bca34>] (rfkill_unregister) from [<81900e80>] (nfc_unregister_device+0x44/0x118 net/nfc/core.c:1167)
r5:83efc85c r4:83efc800
[<81900e3c>] (nfc_unregister_device) from [<8190de2c>] (nci_unregister_device+0x94/0x98 net/nfc/nci/core.c:1312)
r5:83f7b024 r4:83f7b024
[<8190dd98>] (nci_unregister_device) from [<80b011c0>] (virtual_ncidev_close+0x18/0x30 drivers/nfc/virtual_ncidev.c:172)
r9:00000000 r8:82cad790 r7:83867e58 r6:83022ee0 r5:000e001b r4:843549c0
[<80b011a8>] (virtual_ncidev_close) from [<80518350>] (__fput+0xdc/0x2e4 fs/file_table.c:431)
r5:000e001b r4:84686cc0
[<80518274>] (__fput) from [<805185e0>] (____fput+0x14/0x18 fs/file_table.c:459)
r9:00000000 r8:82871694 r7:83702400 r6:83702c84 r5:83702c54 r4:00000000
[<805185cc>] (____fput) from [<8026c6e4>] (task_work_run+0x90/0xb8 kernel/task_work.c:228)
[<8026c654>] (task_work_run) from [<80248f4c>] (exit_task_work include/linux/task_work.h:40 [inline])
[<8026c654>] (task_work_run) from [<80248f4c>] (do_exit+0x304/0xaa0 kernel/exit.c:939)
r9:00000000 r8:dfc25f50 r7:83702c80 r6:83ee0978 r5:83ee0900 r4:83702400
[<80248c48>] (do_exit) from [<802498ac>] (do_group_exit+0x40/0x8c kernel/exit.c:1088)
r7:83ecdf80
[<8024986c>] (do_group_exit) from [<80249910>] (__do_sys_exit_group kernel/exit.c:1099 [inline])
[<8024986c>] (do_group_exit) from [<80249910>] (pid_child_should_wake+0x0/0x6c kernel/exit.c:1097)
r7:000000f8 r4:00000001
[<802498f8>] (sys_exit_group) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfc25fa8 to 0xdfc25ff0)
5fa0: 00000001 0008b3ac 00000000 00000000 00000000 00000000
5fc0: 00000001 0008b3ac 00000000 000000f8 0008b8d0 00089158 00089158 0008b8d0
5fe0: 128a5b9d 7e85fc28 00016fa8 0002bdb4
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 32 Comm: khungtaskd Not tainted 6.11.0-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace:
[<81992360>] (dump_backtrace) from [<8199245c>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
r7:00000000 r6:00000013 r5:60000093 r4:82039e28
[<81992444>] (show_stack) from [<819b0758>] (__dump_stack lib/dump_stack.c:94 [inline])
[<81992444>] (show_stack) from [<819b0758>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:120)
[<819b06e8>] (dump_stack_lvl) from [<819b077c>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
r5:00000001 r4:00000001
[<819b0764>] (dump_stack) from [<8197f620>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113)
[<8197f4c0>] (nmi_cpu_backtrace) from [<8197f76c>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62)
r7:00000001 r6:8260c5d0 r5:8261a88c r4:ffffffff
[<8197f63c>] (nmi_trigger_cpumask_backtrace) from [<802103e8>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851)
r9:00019000 r8:828b6cf8 r7:8260c730 r6:00007f60 r5:8261ae48 r4:8351451c
[<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline])
[<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline])
[<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (watchdog+0x498/0x5b8 kernel/hung_task.c:379)
[<80357e48>] (watchdog) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389)
r10:00000000 r9:df819e58 r8:82f23980 r7:00000000 r6:80357e48 r5:82e59800
r4:82ec84c0
[<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xdf8e1fb0 to 0xdf8e1ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:82ec84c0
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 2932 Comm: klogd Not tainted 6.11.0-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at 0x76dbd918
LR is at 0x76db8460
pc : [<76dbd918>] lr : [<76db8460>] psr: 60000010
sp : 7eec3bc8 ip : 00000000 fp : 017e4b1b
r10: 76e30e60 r9 : 00000013 r8 : 00000000
r7 : 00000121 r6 : 76f665a0 r5 : 76f665a0 r4 : 017dd1a8
r3 : 00004000 r2 : 0000003e r1 : 017e4b18 r0 : 0000003e
Flags: nZCv IRQs on FIQs on Mode USER_32 ISA ARM Segment user
Control: 30c5387d Table: 84347480 DAC: fffffffd
Call trace: invalid frame pointer 0x017e4b1b
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Powered by blists - more mailing lists