Hello,
syzbot found the following crash on:
HEAD commit: 81429eb8 Merge tag 'arm64-fixes' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=171edaf2e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=56f109a734a2de32
dashboard link: https://syzkaller.appspot.com/bug?extid=a229d8d995b74f8c4b6c
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ee1f3ce00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 0 PID: 8024 at kernel/locking/lockdep.c:167 hlock_class
kernel/locking/lockdep.c:167 [inline]
WARNING: CPU: 0 PID: 8024 at kernel/locking/lockdep.c:167
mark_lock+0x8d2/0x1650 kernel/locking/lockdep.c:3643
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8024 Comm: udevd Not tainted 5.4.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
panic+0x264/0x7a9 kernel/panic.c:221
__warn+0x20e/0x210 kernel/panic.c:582
report_bug+0x1b6/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:179 [inline]
do_error_trap+0xd7/0x440 arch/x86/kernel/traps.c:272
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:hlock_class kernel/locking/lockdep.c:167 [inline]
RIP: 0010:mark_lock+0x8d2/0x1650 kernel/locking/lockdep.c:3643
Code: 0f 85 af 02 00 00 83 3d 8f 7a 65 07 00 0f 85 7a f8 ff ff 31 db 48 c7
c7 24 71 36 88 48 c7 c6 3c 2f 3b 88 31 c0 e8 be f4 ec ff <0f> 0b e9 6e f8
ff ff 4c 69 f3 b0 00 00 00 48 c7 c0 d0 f4 1c 89 4c
RSP: 0018:ffff8880aea09520 EFLAGS: 00010046
RAX: 7cc85c2266612300 RBX: 0000000000000000 RCX: ffff88809907a480
RDX: 0000000080000502 RSI: 0000000000000001 RDI: ffffffff815cbf54
RBP: ffff8880aea09620 R08: ffffffff8178fcea R09: fffffbfff111a493
R10: fffffbfff111a493 R11: 0000000000000000 R12: 1ffff1101320f5c5
R13: dffffc0000000000 R14: 0000000000000004 R15: 0000000000000010
mark_usage kernel/locking/lockdep.c:3566 [inline]
__lock_acquire+0x5a0/0x1be0 kernel/locking/lockdep.c:3909
lock_acquire+0x158/0x250 kernel/locking/lockdep.c:4487
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
__netif_tx_lock include/linux/netdevice.h:3897 [inline]
sch_direct_xmit+0x154/0xd50 net/sched/sch_generic.c:311
__dev_xmit_skb net/core/dev.c:3400 [inline]
__dev_queue_xmit+0x1bf7/0x3010 net/core/dev.c:3761
dev_queue_xmit+0x17/0x20 net/core/dev.c:3825
neigh_hh_output include/net/neighbour.h:500 [inline]
neigh_output include/net/neighbour.h:509 [inline]
ip6_finish_output2+0xff2/0x13b0 net/ipv6/ip6_output.c:116
__ip6_finish_output+0x693/0x8c0 net/ipv6/ip6_output.c:142
ip6_finish_output+0x52/0x1e0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x26f/0x370 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
mld_sendpack+0x770/0xb80 net/ipv6/mcast.c:1682
mld_send_initial_cr+0x24c/0x2c0 net/ipv6/mcast.c:2099
mld_dad_timer_expire+0x2e/0x350 net/ipv6/mcast.c:2118
call_timer_fn+0x95/0x170 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers+0x7b6/0x990 kernel/time/timer.c:1773
run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1786
__do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x227/0x230 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x113/0x280 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
</IRQ>
RIP: 0010:update_stack_state+0x3c/0x530 arch/x86/kernel/unwind_frame.c:196
Code: 00 00 49 89 f5 49 89 ff 65 48 8b 04 25 28 00 00 00 48 89 45 d0 48 bb
00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 48 89 45 a8 <8a> 04 18 84 c0
0f 85 71 03 00 00 41 8b 07 89 45 a4 4d 8d 67 58 4c
RSP: 0018:ffff888097ae7520 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff13
RAX: 1ffff11012f5ced0 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: ffff888097ae7f48 RDI: ffff888097ae7680
RBP: ffff888097ae75c8 R08: ffffffff81629dbd R09: ffff888097ae7680
R10: ffffed1012f5cedc R11: 0000000000000000 R12: ffff888097ae7f48
R13: ffff888097ae7f48 R14: ffff888097ae76d0 R15: ffff888097ae7680
unwind_next_frame+0x3f1/0x7a0 arch/x86/kernel/unwind_frame.c:311
arch_stack_walk+0xb4/0xe0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xb6/0x150 kernel/stacktrace.c:123
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__do_kmalloc_node mm/slab.c:3615 [inline]
__kmalloc_node_track_caller+0x4d/0x60 mm/slab.c:3629
__kmalloc_reserve net/core/skbuff.c:141 [inline]
__alloc_skb+0xe8/0x500 net/core/skbuff.c:209
alloc_skb include/linux/skbuff.h:1049 [inline]
alloc_skb_with_frags+0xb6/0x600 net/core/skbuff.c:5662
sock_alloc_send_pskb+0x7cc/0xbc0 net/core/sock.c:2244
unix_dgram_sendmsg+0x612/0x2460 net/unix/af_unix.c:1625
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg net/socket.c:657 [inline]
__sys_sendto+0x442/0x5e0 net/socket.c:1952
__do_sys_sendto net/socket.c:1964 [inline]
__se_sys_sendto net/socket.c:1960 [inline]
__x64_sys_sendto+0xe5/0x100 net/socket.c:1960
do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f31c173d282
Code: 48 83 c8 ff eb ea 90 90 53 48 83 ec 20 8b 05 81 d3 2a 00 85 c0 75 21
45 31 c9 45 31 c0 4c 63 d1 48 63 ff b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 61 48 83 c4 20 5b c3 48 89 54 24 08 89 0c 24
RSP: 002b:00007ffdbd60f5e0 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000000000063a3c0 RCX: 00007f31c173d282
RDX: 0000000000000008 RSI: 00007ffdbd60f630 RDI: 0000000000000009
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 000000000063d8f0 R14: 000000000063a250 R15: 000000000000000b
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot has found a reproducer for the following crash on:
HEAD commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117804dae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=595c15c951695d1b
dashboard link: https://syzkaller.appspot.com/bug?extid=a229d8d995b74f8c4b6c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1511af5ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e0f17ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:167 hlock_class
kernel/locking/lockdep.c:167 [inline]
WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:167 hlock_class
kernel/locking/lockdep.c:156 [inline]
WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:167
mark_lock+0x22b/0x1220 kernel/locking/lockdep.c:3643
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x3e kernel/panic.c:582
report_bug+0x289/0x300 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:167 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:156 [inline]
RIP: 0010:mark_lock+0x22b/0x1220 kernel/locking/lockdep.c:3643
Code: d0 7c 08 84 d2 0f 85 a8 0e 00 00 44 8b 1d ed e6 8d 08 45 85 db 75 b6
48 c7 c6 00 19 cc 87 48 c7 c7 40 19 cc 87 e8 e4 2d eb ff <0f> 0b 31 db e9
aa fe ff ff 48 c7 c7 a0 08 d0 8a e8 f0 fb 56 00 e9
RSP: 0018:ffff8880ae809308 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff815dc196 RDI: ffffed1015d01253
RBP: ffff8880ae809358 R08: ffffffff8907a1c0 R09: fffffbfff1234161
R10: fffffbfff1234160 R11: ffffffff891a0b03 R12: 0000000000000004
R13: ffffffff8907ab48 R14: 0000000000000001 R15: 00000000000425c6
mark_usage kernel/locking/lockdep.c:3566 [inline]
__lock_acquire+0x1e8e/0x4a00 kernel/locking/lockdep.c:3909
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
__netif_tx_lock include/linux/netdevice.h:3925 [inline]
sch_direct_xmit+0x2e0/0xd30 net/sched/sch_generic.c:311
__dev_xmit_skb net/core/dev.c:3621 [inline]
__dev_queue_xmit+0x270a/0x35c0 net/core/dev.c:3982
dev_queue_xmit+0x18/0x20 net/core/dev.c:4046
neigh_resolve_output net/core/neighbour.c:1490 [inline]
neigh_resolve_output+0x5c4/0x990 net/core/neighbour.c:1470
neigh_output include/net/neighbour.h:511 [inline]
ip6_finish_output2+0x109a/0x25c0 net/ipv6/ip6_output.c:116
__ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142
ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
mld_sendpack+0x9c2/0xed0 net/ipv6/mcast.c:1682
mld_send_cr net/ipv6/mcast.c:1978 [inline]
mld_ifc_timer_expire+0x454/0x950 net/ipv6/mcast.c:2477
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 58 25 4f fa eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 24 c9 66
00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 14 c9 66 00 fb f4 <c3> cc 55 48 89
e5 41 57 41 56 41 55 41 54 53 e8 5e 42 00 fa e8 b9
RSP: 0018:ffffffff89007ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1226656 RBX: ffffffff8907a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8907aa54
RBP: ffffffff89007d18 R08: ffffffff8907a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff89e789c0 R14: 0000000000000000 R15: 0000000000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
rest_init+0x23b/0x371 init/main.c:451
arch_call_rest_init+0xe/0x1b
start_kernel+0x904/0x943 init/main.c:784
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at kernel/locking/mutex.c:1419
mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1427
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1419
Code: c9 41 b8 01 00 00 00 31 c9 ba 01 00 00 00 31 f6 e8 0c 5e f9 f9 58 48
8d 65 d8 b8 01 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b e9 0c fe
ff ff 48 c7 c7 a0 08 d0 8a 48 89 4d d0 e8 70 e7 4f
RSP: 0018:ffff8880ae808ec8 EFLAGS: 00010006
RAX: 0000000000000504 RBX: 1ffff11015d011e1 RCX: 0000000000000004
RDX: 0000000000000100 RSI: ffffffff816b4095 RDI: ffffffff891c9b60
RBP: ffff8880ae808ef8 R08: 0000000000000001 R09: fffffbfff12346bd
R10: fffffbfff12346bc R11: ffffffff891a35e3 R12: ffffffff8ad008a0
R13: 0000000000000000 R14: ffffffff8159d400 R15: ffffffff891c9b60
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 00000000a5da3000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__crash_kexec+0x91/0x200 kernel/kexec_core.c:948
panic+0x308/0x75c kernel/panic.c:241
__warn.cold+0x2f/0x3e kernel/panic.c:582
report_bug+0x289/0x300 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:167 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:156 [inline]
RIP: 0010:mark_lock+0x22b/0x1220 kernel/locking/lockdep.c:3643
Code: d0 7c 08 84 d2 0f 85 a8 0e 00 00 44 8b 1d ed e6 8d 08 45 85 db 75 b6
48 c7 c6 00 19 cc 87 48 c7 c7 40 19 cc 87 e8 e4 2d eb ff <0f> 0b 31 db e9
aa fe ff ff 48 c7 c7 a0 08 d0 8a e8 f0 fb 56 00 e9
RSP: 0018:ffff8880ae809308 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff815dc196 RDI: ffffed1015d01253
RBP: ffff8880ae809358 R08: ffffffff8907a1c0 R09: fffffbfff1234161
R10: fffffbfff1234160 R11: ffffffff891a0b03 R12: 0000000000000004
R13: ffffffff8907ab48 R14: 0000000000000001 R15: 00000000000425c6
mark_usage kernel/locking/lockdep.c:3566 [inline]
__lock_acquire+0x1e8e/0x4a00 kernel/locking/lockdep.c:3909
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
__netif_tx_lock include/linux/netdevice.h:3925 [inline]
sch_direct_xmit+0x2e0/0xd30 net/sched/sch_generic.c:311
__dev_xmit_skb net/core/dev.c:3621 [inline]
__dev_queue_xmit+0x270a/0x35c0 net/core/dev.c:3982
dev_queue_xmit+0x18/0x20 net/core/dev.c:4046
neigh_resolve_output net/core/neighbour.c:1490 [inline]
neigh_resolve_output+0x5c4/0x990 net/core/neighbour.c:1470
neigh_output include/net/neighbour.h:511 [inline]
ip6_finish_output2+0x109a/0x25c0 net/ipv6/ip6_output.c:116
__ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142
ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
mld_sendpack+0x9c2/0xed0 net/ipv6/mcast.c:1682
mld_send_cr net/ipv6/mcast.c:1978 [inline]
mld_ifc_timer_expire+0x454/0x950 net/ipv6/mcast.c:2477
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 58 25 4f fa eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 24 c9 66
00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 14 c9 66 00 fb f4 <c3> cc 55 48 89
e5 41 57 41 56 41 55 41 54 53 e8 5e 42 00 fa e8 b9
RSP: 0018:ffffffff89007ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1226656 RBX: ffffffff8907a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8907aa54
RBP: ffffffff89007d18 R08: ffffffff8907a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff89e789c0 R14: 0000000000000000 R15: 0000000000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
rest_init+0x23b/0x371 init/main.c:451
arch_call_rest_init+0xe/0x1b
start_kernel+0x904/0x943 init/main.c:784
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
irq event stamp: 169380
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
seqcount_lockdep_reader_access include/linux/seqlock.h:83 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>] read_seqbegin
include/linux/seqlock.h:433 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
neigh_resolve_output net/core/neighbour.c:1484 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
neigh_resolve_output+0x3e8/0x990 net/core/neighbour.c:1470
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
seqcount_lockdep_reader_access include/linux/seqlock.h:80 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>] read_seqbegin
include/linux/seqlock.h:433 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
neigh_resolve_output net/core/neighbour.c:1484 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
neigh_resolve_output+0x390/0x990 net/core/neighbour.c:1470
softirqs last enabled at (169342): [<ffffffff81468f2c>]
_local_bh_enable+0x1c/0x30 kernel/softirq.c:162
softirqs last disabled at (169343): [<ffffffff8146b92b>] invoke_softirq
kernel/softirq.c:373 [inline]
softirqs last disabled at (169343): [<ffffffff8146b92b>]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
---[ end trace 2daec1acd3cd1e7d ]---
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at kernel/locking/mutex.c:737 mutex_unlock+0x1d/0x30
kernel/locking/mutex.c:744
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:mutex_unlock+0x1d/0x30 kernel/locking/mutex.c:737
Code: 4c 89 ff e8 c5 f2 4f fa e9 8c fb ff ff 55 65 8b 05 00 40 a1 78 a9 00
ff 1f 00 48 89 e5 75 0b 48 8b 75 08 e8 45 f9 ff ff 5d c3 <0f> 0b 48 8b 75
08 e8 38 f9 ff ff 5d c3 66 0f 1f 44 00 00 48 b8 00
RSP: 0018:ffff8880ae808ef8 EFLAGS: 00010006
RAX: 0000000000000504 RBX: 1ffff11015d011e1 RCX: ffffffff816b40ad
RDX: 0000000000000100 RSI: ffffffff816b410f RDI: ffffffff891c9b60
RBP: ffff8880ae808ef8 R08: ffffffff8907a1c0 R09: 0000000000000000
R10: fffffbfff123936c R11: ffffffff891c9b67 R12: 0000000000000001
R13: 0000000000000000 R14: ffffffff8159d400 R15: 00000000000000a7
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 00000000a5da3000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__crash_kexec+0x10b/0x200 kernel/kexec_core.c:957
panic+0x308/0x75c kernel/panic.c:241
__warn.cold+0x2f/0x3e kernel/panic.c:582
report_bug+0x289/0x300 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:167 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:156 [inline]
RIP: 0010:mark_lock+0x22b/0x1220 kernel/locking/lockdep.c:3643
Code: d0 7c 08 84 d2 0f 85 a8 0e 00 00 44 8b 1d ed e6 8d 08 45 85 db 75 b6
48 c7 c6 00 19 cc 87 48 c7 c7 40 19 cc 87 e8 e4 2d eb ff <0f> 0b 31 db e9
aa fe ff ff 48 c7 c7 a0 08 d0 8a e8 f0 fb 56 00 e9
RSP: 0018:ffff8880ae809308 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff815dc196 RDI: ffffed1015d01253
RBP: ffff8880ae809358 R08: ffffffff8907a1c0 R09: fffffbfff1234161
R10: fffffbfff1234160 R11: ffffffff891a0b03 R12: 0000000000000004
R13: ffffffff8907ab48 R14: 0000000000000001 R15: 00000000000425c6
mark_usage kernel/locking/lockdep.c:3566 [inline]
__lock_acquire+0x1e8e/0x4a00 kernel/locking/lockdep.c:3909
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
__netif_tx_lock include/linux/netdevice.h:3925 [inline]
sch_direct_xmit+0x2e0/0xd30 net/sched/sch_generic.c:311
__dev_xmit_skb net/core/dev.c:3621 [inline]
__dev_queue_xmit+0x270a/0x35c0 net/core/dev.c:3982
dev_queue_xmit+0x18/0x20 net/core/dev.c:4046
neigh_resolve_output net/core/neighbour.c:1490 [inline]
neigh_resolve_output+0x5c4/0x990 net/core/neighbour.c:1470
neigh_output include/net/neighbour.h:511 [inline]
ip6_finish_output2+0x109a/0x25c0 net/ipv6/ip6_output.c:116
__ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142
ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
mld_sendpack+0x9c2/0xed0 net/ipv6/mcast.c:1682
mld_send_cr net/ipv6/mcast.c:1978 [inline]
mld_ifc_timer_expire+0x454/0x950 net/ipv6/mcast.c:2477
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 58 25 4f fa eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 24 c9 66
00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 14 c9 66 00 fb f4 <c3> cc 55 48 89
e5 41 57 41 56 41 55 41 54 53 e8 5e 42 00 fa e8 b9
RSP: 0018:ffffffff89007ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1226656 RBX: ffffffff8907a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8907aa54
RBP: ffffffff89007d18 R08: ffffffff8907a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff89e789c0 R14: 0000000000000000 R15: 0000000000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
rest_init+0x23b/0x371 init/main.c:451
arch_call_rest_init+0xe/0x1b
start_kernel+0x904/0x943 init/main.c:784
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
irq event stamp: 169380
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
seqcount_lockdep_reader_access include/linux/seqlock.h:83 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>] read_seqbegin
include/linux/seqlock.h:433 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
neigh_resolve_output net/core/neighbour.c:1484 [inline]
hardirqs last enabled at (169380): [<ffffffff85b80cd8>]
neigh_resolve_output+0x3e8/0x990 net/core/neighbour.c:1470
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
seqcount_lockdep_reader_access include/linux/seqlock.h:80 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>] read_seqbegin
include/linux/seqlock.h:433 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
neigh_resolve_output net/core/neighbour.c:1484 [inline]
hardirqs last disabled at (169379): [<ffffffff85b80c80>]
neigh_resolve_output+0x390/0x990 net/core/neighbour.c:1470
softirqs last enabled at (169342): [<ffffffff81468f2c>]
_local_bh_enable+0x1c/0x30 kernel/softirq.c:162
softirqs last disabled at (169343): [<ffffffff8146b92b>] invoke_softirq
kernel/softirq.c:373 [inline]
softirqs last disabled at (169343): [<ffffffff8146b92b>]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
---[ end trace 2daec1acd3cd1e7e ]---
Kernel Offset: disabled
Rebooting in 86400 seconds..
syzbot has bisected this bug to:
commit d665c1281bc89ac85b8b0c058c22a3f94640a1d6
Author: Yi Wang <[email protected]>
Date: Mon Oct 21 23:57:42 2019 +0000
net: sched: taprio: fix -Wmissing-prototypes warnings
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132ee536e00000
start commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=10aee536e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=172ee536e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=595c15c951695d1b
dashboard link: https://syzkaller.appspot.com/bug?extid=a229d8d995b74f8c4b6c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1511af5ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e0f17ae00000
Reported-by: [email protected]
Fixes: d665c1281bc8 ("net: sched: taprio: fix -Wmissing-prototypes
warnings")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
On Thursday, 28 November 2019 03:00:01 CET syzbot wrote:
[...]
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132ee536e00000
> start commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=10aee536e00000
Can the syzbot infrastructure be told to ignore this crash in the bisect run?
Because this should be an unrelated crash which is (hopefully) fixed in
40e220b4218b ("batman-adv: Avoid free/alloc race when handling OGM buffer").
Kind regards,
Sven
On Thu, Nov 28, 2019 at 8:25 AM Sven Eckelmann <[email protected]> wrote:
>
> On Thursday, 28 November 2019 03:00:01 CET syzbot wrote:
> [...]
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132ee536e00000
> > start commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=10aee536e00000
>
> Can the syzbot infrastructure be told to ignore this crash in the bisect run?
> Because this should be an unrelated crash which is (hopefully) fixed in
> 40e220b4218b ("batman-adv: Avoid free/alloc race when handling OGM buffer").
+syzkaller mailing list for syzbot discussion
Hi Sven,
There is no such functionality at the moment.
What exactly do you mean? Somehow telling it interactively? Or
hardcode some set of crashes for linux? I don't see how any of these
options can really work...
On Thursday, 28 November 2019 09:40:32 CET Dmitry Vyukov wrote:
> On Thu, Nov 28, 2019 at 8:25 AM Sven Eckelmann <[email protected]> wrote:
> >
> > On Thursday, 28 November 2019 03:00:01 CET syzbot wrote:
> > [...]
> > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132ee536e00000
> > > start commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
> > > git tree: upstream
> > > final crash: https://syzkaller.appspot.com/x/report.txt?x=10aee536e00000
> >
> > Can the syzbot infrastructure be told to ignore this crash in the bisect run?
> > Because this should be an unrelated crash which is (hopefully) fixed in
> > 40e220b4218b ("batman-adv: Avoid free/alloc race when handling OGM buffer").
>
> +syzkaller mailing list for syzbot discussion
>
> Hi Sven,
>
> There is no such functionality at the moment.
> What exactly do you mean? Somehow telling it interactively? Or
> hardcode some set of crashes for linux? I don't see how any of these
> options can really work...
I was thinking more about rerunning the same bisect but tell it to assume
"crashed: general protection fault in batadv_iv_ogm_queue_add" as OK instead
of assuming that it is a crashed like the previous "crashed: WARNING in
mark_lock". Just to get a non-bogus bisect result. Or try to rerun the
bisect between 40e220b4218b and 89d57dddd7d319ded00415790a0bb3c954b7e386
Kind regards,
Sven
On Thu, Nov 28, 2019 at 9:46 AM Sven Eckelmann <[email protected]> wrote:
>
> On Thursday, 28 November 2019 09:40:32 CET Dmitry Vyukov wrote:
> > On Thu, Nov 28, 2019 at 8:25 AM Sven Eckelmann <[email protected]> wrote:
> > >
> > > On Thursday, 28 November 2019 03:00:01 CET syzbot wrote:
> > > [...]
> > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=132ee536e00000
> > > > start commit: 89d57ddd Merge tag 'media/v5.5-1' of git://git.kernel.org/..
> > > > git tree: upstream
> > > > final crash: https://syzkaller.appspot.com/x/report.txt?x=10aee536e00000
> > >
> > > Can the syzbot infrastructure be told to ignore this crash in the bisect run?
> > > Because this should be an unrelated crash which is (hopefully) fixed in
> > > 40e220b4218b ("batman-adv: Avoid free/alloc race when handling OGM buffer").
> >
> > +syzkaller mailing list for syzbot discussion
> >
> > Hi Sven,
> >
> > There is no such functionality at the moment.
> > What exactly do you mean? Somehow telling it interactively? Or
> > hardcode some set of crashes for linux? I don't see how any of these
> > options can really work...
>
> I was thinking more about rerunning the same bisect but tell it to assume
> "crashed: general protection fault in batadv_iv_ogm_queue_add" as OK instead
> of assuming that it is a crashed like the previous "crashed: WARNING in
> mark_lock". Just to get a non-bogus bisect result. Or try to rerun the
> bisect between 40e220b4218b and 89d57dddd7d319ded00415790a0bb3c954b7e386
But... but this done by a program. What do you mean by "tell it"?
On Thursday, 28 November 2019 09:54:15 CET Dmitry Vyukov wrote:
[...]
> > I was thinking more about rerunning the same bisect but tell it to assume
> > "crashed: general protection fault in batadv_iv_ogm_queue_add" as OK instead
> > of assuming that it is a crashed like the previous "crashed: WARNING in
> > mark_lock". Just to get a non-bogus bisect result. Or try to rerun the
> > bisect between 40e220b4218b and 89d57dddd7d319ded00415790a0bb3c954b7e386
>
> But... but this done by a program. What do you mean by "tell it"?
Sorry that I asked about what the infrastructure around syzbot can do and
how the interaction with it looks like.
Kind regards,
Sven