From: syzbot <syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com>
To: dvyukov@google.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: Re: INFO: task hung in lock_mount
Date: Wed, 23 May 2018 12:13:02 -0700 [thread overview]
Message-ID: <000000000000e588f5056ce452ce@google.com> (raw)
In-Reply-To: <0000000000006de361056b146dbe@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: a048a07d7f45 powerpc/64s: Add support for a store forwardi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1084cc27800000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13992a0f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131a727b800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com
INFO: task syz-executor694:4903 blocked for more than 120 seconds.
Not tainted 4.17.0-rc6+ #63
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor694 D24936 4903 4506 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2859 [inline]
__schedule+0x801/0x1e30 kernel/sched/core.c:3501
schedule+0xef/0x430 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x919/0x15d0
kernel/locking/rwsem-xadd.c:565
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa2/0x120 kernel/locking/rwsem.c:72
namespace_lock fs/namespace.c:1431 [inline]
lock_mount+0xdc/0x2e0 fs/namespace.c:2093
do_loopback fs/namespace.c:2221 [inline]
do_mount+0xebc/0x3070 fs/namespace.c:2842
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447099
RSP: 002b:00007f0d700b4da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000006ddcb4 RCX: 0000000000447099
RDX: 0000000020000140 RSI: 00000000200000c0 RDI: 0000000020000000
RBP: 00000000006ddcb0 R08: 0000000020000200 R09: 0000000000000000
R10: 0000000000003080 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 6f7365725f736e64 R14: 70756f7267632f2e R15: 0000000000000007
Showing all locks held in the system:
2 locks held by khungtaskd/892:
#0: (ptrval) (rcu_read_lock){....}, at:
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
#0: (ptrval) (rcu_read_lock){....}, at: watchdog+0x1ff/0xf60
kernel/hung_task.c:249
#1: (ptrval) (tasklist_lock){.+.+}, at:
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
1 lock held by rsyslogd/4380:
#0: (ptrval) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1a9/0x1e0
fs/file.c:766
2 locks held by getty/4470:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4471:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4472:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4473:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4474:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4475:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4476:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by syz-executor694/4903:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4901:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4905:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4911:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4913:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4919:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4921:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4928:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4935:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4937:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4939:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4941:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
1 lock held by syz-executor694/4943:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
inode_lock_shared include/linux/fs.h:723 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lookup_slow+0x49/0x80 fs/namei.c:1646
2 locks held by syz-executor694/4944:
#0: (ptrval) (sb_writers#12){.+.+}, at: sb_start_write
include/linux/fs.h:1550 [inline]
#0: (ptrval) (sb_writers#12){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: (ptrval) (&sb->s_type->i_mutex_key#15/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:748 [inline]
#1: (ptrval) (&sb->s_type->i_mutex_key#15/1){+.+.}, at:
filename_create+0x1aa/0x5a0 fs/namei.c:3606
1 lock held by syz-executor694/4945:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
1 lock held by syz-executor694/4947:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 892 Comm: khungtaskd Not tainted 4.17.0-rc6+ #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_task kernel/hung_task.c:132 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:190 [inline]
watchdog+0xc10/0xf60 kernel/hung_task.c:249
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4901 Comm: syz-executor694 Not tainted 4.17.0-rc6+ #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__lock_release kernel/locking/lockdep.c:3674 [inline]
RIP: 0010:lock_release+0x1f5/0xa10 kernel/locking/lockdep.c:3939
RSP: 0018:ffff8801afca7708 EFLAGS: 00000097
RAX: 0000000000000003 RBX: 1ffff10035f94ee6 RCX: ffffffff815e1551
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff8801afca7838 R08: 0000000000000000 R09: ffffed00351966c8
R10: ffffed00351966c8 R11: ffff8801a8cb3643 R12: ffff8801afca7810
R13: ffff8801a8cb3658 R14: ffff8801a9a003c0 R15: ffff8801afca7750
FS: 00007f0d700f7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001d05cc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_unlock include/linux/spinlock_api_smp.h:150 [inline]
_raw_spin_unlock+0x1a/0x30 kernel/locking/spinlock.c:176
spin_unlock include/linux/spinlock.h:350 [inline]
lockref_get+0x42/0x50 lib/lockref.c:51
dget include/linux/dcache.h:326 [inline]
mnt_set_mountpoint+0xe7/0x360 fs/namespace.c:914
propagate_one+0x5a7/0x910 fs/pnode.c:269
propagate_mnt+0x18a/0x3e0 fs/pnode.c:315
attach_recursive_mnt+0x5f8/0xb50 fs/namespace.c:2033
graft_tree+0x1aa/0x240 fs/namespace.c:2133
do_add_mount+0x1fe/0x370 fs/namespace.c:2491
do_new_mount fs/namespace.c:2532 [inline]
do_mount+0x18e6/0x3070 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447099
RSP: 002b:00007f0d700f6da8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000006ddc84 RCX: 0000000000447099
RDX: 00000000200001c0 RSI: 0000000020026ff8 RDI: 000000002000a000
RBP: 00000000006ddc80 R08: 00000000200007c0 R09: 0000000000000000
R10: 0000000000000080 R11: 0000000000000293 R12: 0030656c69662f2e
R13: 6f7365725f736e64 R14: 70756f7267632f2e R15: 0000000000000007
Code: c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 65 4c 8b 34 25 40 ee
01 00 38 d0 7c 08 84 d2 0f 85 67 06 00 00 8b 3d fb bd ac 07 <85> ff 0f 84
41 02 00 00 49 8d 86 30 08 00 00 48 89 c2 48 89 85
next prev parent reply other threads:[~2018-05-23 19:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-30 17:46 INFO: task hung in lock_mount syzbot
2018-04-30 17:55 ` Dmitry Vyukov
2018-05-23 19:13 ` syzbot [this message]
2023-04-30 6:32 ` Theodore Ts'o
2023-04-30 8:56 ` Ryusuke Konishi
[not found] ` <CAKFNMonK2VcZx=KEG8cz61bhwMvChEJ=T+FecxpGg1QiRCcZhA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2023-04-30 19:30 ` [PATCH] nilfs2: fix infinite loop in nilfs_mdt_get_block() Ryusuke Konishi
2023-04-30 19:30 ` Ryusuke Konishi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e588f5056ce452ce@google.com \
--to=syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com \
--cc=dvyukov@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.