Uninterruptable hang in sendfile

linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dmitry Vyukov <dvyukov@google.com>
To: Al Viro <viro@zeniv.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	jack@suse.com,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-ext4@vger.kernel.org
Cc: syzkaller@googlegroups.com, Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	Julien Tinnes <jln@google.com>, Kees Cook <keescook@google.com>
Subject: Uninterruptable hang in sendfile
Date: Mon, 12 Oct 2015 11:18:48 +0200	[thread overview]
Message-ID: <CACT4Y+Z-7GuiLKBwRXrGCNwte5DBjwRyqtxr-MmZ-C94RJftvw@mail.gmail.com> (raw)

Hello,

The following program leads to hang in D state in:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>

int main()
{
        long r0 = syscall(SYS_mmap, 0x20001000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        memcpy((void*)0x20001c12, "./file0\x00", 8);
        long r2 = syscall(SYS_open, 0x20001c12ul, 0x1410c2ul, 0x88ul);
        long r3 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        long r4 = syscall(SYS_mmap, 0x20002000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        memcpy((void*)0x20002ff8, "./file0\x00", 8);
        long r6 = syscall(SYS_chown, 0x20002ff8ul, 0x1ul, 0xfffffffffffffffful);
        long r7 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        long r8 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        long r9 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        long r10 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        *(uint64_t*)0x20000fdd = 0x20000000;
        *(uint64_t*)0x20000fe5 = 0x1000;
        *(uint64_t*)0x20000fed = 0x20000000;
        *(uint64_t*)0x20000ff5 = 0xab;
        *(uint64_t*)0x20000ffd = 0x20000000;
        *(uint64_t*)0x20001005 = 0x73;
        *(uint64_t*)0x2000100d = 0x20000fd4;
        *(uint64_t*)0x20001015 = 0x2c;
        long r23 = syscall(SYS_writev, 0x1869ful, 0x20000fddul, 0x4ul);
        long r24 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
        long r25 = syscall(SYS_ftruncate, r2, 0x2ul);
        long r26 = syscall(SYS_lseek, r2, 0x0ul, 0x2ul);
        *(uint64_t*)0x20000ff8 = 0x0;
        long r28 = syscall(SYS_sendfile, r2, r2, 0x20000ff8ul, 0xffffffful);
        return 0;
}

/proc/self/stack shows:

[<ffffffff8122fa85>] jbd2_log_wait_commit+0x95/0x110
fs/jbd2/journal.c:706 (discriminator 2)
[<ffffffff812324e2>] jbd2_complete_transaction+0x52/0x90 fs/jbd2/journal.c:744
[<ffffffff811dc2c4>] ext4_sync_file+0x254/0x2e0 fs/ext4/fsync.c:141
[<ffffffff811932e6>] vfs_fsync_range+0x36/0xa0 fs/sync.c:190
[<     inline     >] generic_write_sync include/linux/fs.h:2442
[<ffffffff811db6ff>] ext4_file_write_iter+0x13f/0x340 fs/ext4/file.c:177
[<ffffffff81165331>] vfs_iter_write+0x61/0x90 fs/read_write.c:364
[<ffffffff8119150d>] iter_file_splice_write+0x1dd/0x370 fs/splice.c:1012
[<     inline     >] do_splice_from fs/splice.c:1116
[<ffffffff811906f1>] direct_splice_actor+0x31/0x40 fs/splice.c:1282
[<ffffffff81190e10>] splice_direct_to_actor+0x90/0x1f0 fs/splice.c:1235
[<ffffffff81190fe7>] do_splice_direct+0x77/0xa0 fs/splice.c:1325
[<ffffffff811664b8>] do_sendfile+0x198/0x380 fs/read_write.c:1227
[<     inline     >] SYSC_sendfile64 fs/read_write.c:1282
[<ffffffff81166f5a>] SyS_sendfile64+0x4a/0x90 fs/read_write.c:1274
[<ffffffff81859a97>] entry_SYSCALL_64_fastpath+0x12/0x6a
arch/x86/entry/entry_64.S:185

On commit dd36d7393d6310b0c1adefb22fba79c3cf8a577c
(git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git)

Found with syzkaller fuzzer.

next             reply	other threads:[~2015-10-12  9:18 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-12  9:18 Dmitry Vyukov [this message]
2015-10-12 12:33 ` Uninterruptable hang in sendfile Jan Kara

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACT4Y+Z-7GuiLKBwRXrGCNwte5DBjwRyqtxr-MmZ-C94RJftvw@mail.gmail.com \
    --to=dvyukov@google.com \
    --cc=andreyknvl@google.com \
    --cc=glider@google.com \
    --cc=jack@suse.com \
    --cc=jln@google.com \
    --cc=kcc@google.com \
    --cc=keescook@google.com \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sasha.levin@oracle.com \
    --cc=syzkaller@googlegroups.com \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).