From: syzbot <syzbot+95f1db35defd8524f1dd@syzkaller.appspotmail.com>
To: axboe@kernel.dk, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [block?] BUG: sleeping function called from invalid context in unmap_mapping_folio
Date: Tue, 04 Feb 2025 07:33:21 -0800 [thread overview]
Message-ID: <67a23341.050a0220.163cdc.0069.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 40b8e93e17bf Add linux-next specific files for 20250204
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11c2a3df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
dashboard link: https://syzkaller.appspot.com/bug?extid=95f1db35defd8524f1dd
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16010df8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f078a4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ccdfef06f59f/disk-40b8e93e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b339eaf8dcfd/vmlinux-40b8e93e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ae1a0f1c3c80/bzImage-40b8e93e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+95f1db35defd8524f1dd@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9141, name: syz-executor179
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
2 locks held by syz-executor179/9141:
#0: ffff8880260a34c8 (&disk->open_mutex){+.+.}-{4:4}, at: bdev_open+0xf0/0xc50 block/bdev.c:903
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: blk_mq_flush_plug_list+0x282/0x1870 block/blk-mq.c:2904
CPU: 1 UID: 0 PID: 9141 Comm: syz-executor179 Not tainted 6.14.0-rc1-next-20250204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x5d4/0x780 kernel/sched/core.c:8766
down_read+0x8e/0xa40 kernel/locking/rwsem.c:1523
i_mmap_lock_read include/linux/fs.h:565 [inline]
unmap_mapping_folio+0x284/0x3b0 mm/memory.c:3887
folio_unmap_invalidate+0x122/0x510 mm/truncate.c:557
folio_end_reclaim_write mm/filemap.c:1609 [inline]
folio_end_writeback+0x430/0x560 mm/filemap.c:1642
end_bio_bh_io_sync+0xbf/0x120 fs/buffer.c:2766
blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
nullb_complete_cmd drivers/block/null_blk/main.c:1354 [inline]
null_handle_cmd drivers/block/null_blk/main.c:1405 [inline]
null_queue_rq+0xbb1/0xd60 drivers/block/null_blk/main.c:1645
null_queue_rqs+0x1e7/0x370 drivers/block/null_blk/main.c:1659
__blk_mq_flush_plug_list block/blk-mq.c:2825 [inline]
blk_mq_flush_plug_list+0x56a/0x1870 block/blk-mq.c:2904
__blk_flush_plug+0x420/0x500 block/blk-core.c:1213
blk_finish_plug+0x5e/0x80 block/blk-core.c:1240
blkdev_writepages+0xb4/0x100 block/fops.c:460
do_writepages+0x35f/0x880 mm/page-writeback.c:2687
filemap_fdatawrite_wbc mm/filemap.c:389 [inline]
__filemap_fdatawrite_range mm/filemap.c:422 [inline]
filemap_write_and_wait_range+0x283/0x3a0 mm/filemap.c:694
bdev_disk_changed+0x1f9/0x13f0 block/partitions/core.c:656
blkdev_get_whole+0x2d2/0x450 block/bdev.c:706
bdev_open+0x2d4/0xc50 block/bdev.c:915
bdev_file_open_by_dev+0x1b0/0x220 block/bdev.c:1017
disk_scan_partitions+0x1be/0x2b0 block/genhd.c:374
blkdev_common_ioctl+0x13cf/0x2460 block/ioctl.c:617
blkdev_ioctl+0x4ca/0x6a0 block/ioctl.c:687
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff8ff244ba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe3d9b7178 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ff244ba9
RDX: 0000000000000000 RSI: 000000000000125f RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000029a0b
R13: 00007ffe3d9b719c R14: 00007ffe3d9b71b0 R15: 00007ffe3d9b71a0
</TASK>
=============================
[ BUG: Invalid wait context ]
6.14.0-rc1-next-20250204-syzkaller #0 Tainted: G W
-----------------------------
syz-executor179/9141 is trying to lock:
ffff888023423870 (&mapping->i_mmap_rwsem){++++}-{4:4}, at: i_mmap_lock_read include/linux/fs.h:565 [inline]
ffff888023423870 (&mapping->i_mmap_rwsem){++++}-{4:4}, at: unmap_mapping_folio+0x284/0x3b0 mm/memory.c:3887
other info that might help us debug this:
context-{5:5}
2 locks held by syz-executor179/9141:
#0: ffff8880260a34c8 (&disk->open_mutex){+.+.}-{4:4}, at: bdev_open+0xf0/0xc50 block/bdev.c:903
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#1: ffffffff8e938960 (rcu_read_lock){....}-{1:3}, at: blk_mq_flush_plug_list+0x282/0x1870 block/blk-mq.c:2904
stack backtrace:
CPU: 1 UID: 0 PID: 9141 Comm: syz-executor179 Tainted: G W 6.14.0-rc1-next-20250204-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4828 [inline]
check_wait_context kernel/locking/lockdep.c:4900 [inline]
__lock_acquire+0x15a8/0x2100 kernel/locking/lockdep.c:5178
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
down_read+0xb1/0xa40 kernel/locking/rwsem.c:1524
i_mmap_lock_read include/linux/fs.h:565 [inline]
unmap_mapping_folio+0x284/0x3b0 mm/memory.c:3887
folio_unmap_invalidate+0x122/0x510 mm/truncate.c:557
folio_end_reclaim_write mm/filemap.c:1609 [inline]
folio_end_writeback+0x430/0x560 mm/filemap.c:1642
end_bio_bh_io_sync+0xbf/0x120 fs/buffer.c:2766
blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
nullb_complete_cmd drivers/block/null_blk/main.c:1354 [inline]
null_handle_cmd drivers/block/null_blk/main.c:1405 [inline]
null_queue_rq+0xbb1/0xd60 drivers/block/null_blk/main.c:1645
null_queue_rqs+0x1e7/0x370 drivers/block/null_blk/main.c:1659
__blk_mq_flush_plug_list block/blk-mq.c:2825 [inline]
blk_mq_flush_plug_list+0x56a/0x1870 block/blk-mq.c:2904
__blk_flush_plug+0x420/0x500 block/blk-core.c:1213
blk_finish_plug+0x5e/0x80 block/blk-core.c:1240
blkdev_writepages+0xb4/0x100 block/fops.c:460
do_writepages+0x35f/0x880 mm/page-writeback.c:2687
filemap_fdatawrite_wbc mm/filemap.c:389 [inline]
__filemap_fdatawrite_range mm/filemap.c:422 [inline]
filemap_write_and_wait_range+0x283/0x3a0 mm/filemap.c:694
bdev_disk_changed+0x1f9/0x13f0 block/partitions/core.c:656
blkdev_get_whole+0x2d2/0x450 block/bdev.c:706
bdev_open+0x2d4/0xc50 block/bdev.c:915
bdev_file_open_by_dev+0x1b0/0x220 block/bdev.c:1017
disk_scan_partitions+0x1be/0x2b0 block/genhd.c:374
blkdev_common_ioctl+0x13cf/0x2460 block/ioctl.c:617
blkdev_ioctl+0x4ca/0x6a0 block/ioctl.c:687
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff8ff244ba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe3d9b7178 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ff244ba9
RDX: 0000000000000000 RSI: 000000000000125f RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000029a0b
R13: 00007ffe3d9b719c R14: 00007ffe3d9b71b0 R15: 00007ffe3d9b71a0
</TASK>
BUG: sleeping function called from invalid context at ./include/linux/mmu_notifier.h:434
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 9141, name: syz-executor179
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 9141 Comm: syz-executor179 Tainted: G W 6.14.0-rc1-next-20250204-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x5d4/0x780 kernel/sched/core.c:8766
mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:434 [inline]
zap_page_range_single+0x386/0x630 mm/memory.c:2015
unmap_mapping_range_vma mm/memory.c:3836 [inline]
unmap_mapping_range_tree+0xd7/0x120 mm/memory.c:3853
unmap_mapping_folio+0x30e/0x3b0 mm/memory.c:3889
folio_unmap_invalidate+0x122/0x510 mm/truncate.c:557
folio_end_reclaim_write mm/filemap.c:1609 [inline]
folio_end_writeback+0x430/0x560 mm/filemap.c:1642
end_bio_bh_io_sync+0xbf/0x120 fs/buffer.c:2766
blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
nullb_complete_cmd drivers/block/null_blk/main.c:1354 [inline]
null_handle_cmd drivers/block/null_blk/main.c:1405 [inline]
null_queue_rq+0xbb1/0xd60 drivers/block/null_blk/main.c:1645
null_queue_rqs+0x1e7/0x370 drivers/block/null_blk/main.c:1659
__blk_mq_flush_plug_list block/blk-mq.c:2825 [inline]
blk_mq_flush_plug_list+0x56a/0x1870 block/blk-mq.c:2904
__blk_flush_plug+0x420/0x500 block/blk-core.c:1213
blk_finish_plug+0x5e/0x80 block/blk-core.c:1240
blkdev_writepages+0xb4/0x100 block/fops.c:460
do_writepages+0x35f/0x880 mm/page-writeback.c:2687
filemap_fdatawrite_wbc mm/filemap.c:389 [inline]
__filemap_fdatawrite_range mm/filemap.c:422 [inline]
filemap_write_and_wait_range+0x283/0x3a0 mm/filemap.c:694
bdev_disk_changed+0x1f9/0x13f0 block/partitions/core.c:656
blkdev_get_whole+0x2d2/0x450 block/bdev.c:706
bdev_open+0x2d4/0xc50 block/bdev.c:915
bdev_file_open_by_dev+0x1b0/0x220 block/bdev.c:1017
disk_scan_partitions+0x1be/0x2b0 block/genhd.c:374
blkdev_common_ioctl+0x13cf/0x2460 block/ioctl.c:617
blkdev_ioctl+0x4ca/0x6a0 block/ioctl.c:687
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff8ff244ba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe3d9b7178 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ff244ba9
RDX: 0000000000000000 RSI: 000000000000125f RDI: 0000000000000004
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000029a0b
R13: 00007ffe3d9b719c R14: 00007ffe3d9b71b0 R15: 00007ffe3d9b71a0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-02-04 15:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-04 15:33 syzbot [this message]
2025-02-05 5:58 ` [syzbot] [block?] BUG: sleeping function called from invalid context in unmap_mapping_folio syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67a23341.050a0220.163cdc.0069.GAE@google.com \
--to=syzbot+95f1db35defd8524f1dd@syzkaller.appspotmail.com \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.