Hello,
When using modified Syzkaller to fuzz the Linux kernel-5.19, the
following crash was triggered. Though the issue seems to get fixed on
syzbot(https://syzkaller.appspot.com/bug?id=12e4415bf5272f433acefa690478208f3be3be2d),
it could still be triggered with the following repro.
We would appreciate a CVE ID if this is a security issue.
HEAD commit: 568035b01cfb Linux-5.15.58
git tree: upstream
console output:
https://drive.google.com/file/d/1e4DHaUKhY9DLZJK_pNScWHydUv-MaD9_/view?usp=sharing
https://drive.google.com/file/d/1NmOGWcfPnY2kSrS0nOwvG1AZ923jFQ3p/view?usp=sharing
kernel config: https://drive.google.com/file/d/1wgIUDwP5ho29AM-K7HhysSTfWFpfXYkG/view?usp=sharing
syz repro: https://drive.google.com/file/d/1e5xY8AOMimLbpAlOOupmGYC_tUA3sa8k/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1esAe__18Lt7and43QdXFfI6GJCsF85_z/view?usp=sharing
Description:
spin_lock_irqsave() in __wake_up_common_lock() is called before waking
up a task. However, spin_lock_irqsave() has to be called once in
io_poll_double_wake().
such call stack is:
snd_pcm_post_stop()
__wake_up_common_lock()
spin_lock_irqsave()
io_poll_double_wake()
spin_lock_irqsave()
Environment:
Ubuntu 20.04 on Linux 5.4.0
QEMU 4.2.1:
qemu-system-x86_64 \
-m 2G \
-smp 2 \
-kernel /home/workdir/bzImage \
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
-drive file=/home/workdir/stretch.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log
If you fix this issue, please add the following tag to the commit:
Reported-by Jiacheng Xu<[email protected]>