From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dmitry Vyukov Subject: Uninterruptable hang in sendfile Date: Mon, 12 Oct 2015 11:18:48 +0200 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: syzkaller@googlegroups.com, Kostya Serebryany , Alexander Potapenko , Andrey Konovalov , Sasha Levin , Julien Tinnes , Kees Cook To: Al Viro , "Theodore Ts'o" , jack@suse.com, "linux-fsdevel@vger.kernel.org" , LKML , linux-ext4@vger.kernel.org Return-path: Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-ext4.vger.kernel.org Hello, The following program leads to hang in D state in: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include int main() { long r0 = syscall(SYS_mmap, 0x20001000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20001c12, "./file0\x00", 8); long r2 = syscall(SYS_open, 0x20001c12ul, 0x1410c2ul, 0x88ul); long r3 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r4 = syscall(SYS_mmap, 0x20002000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20002ff8, "./file0\x00", 8); long r6 = syscall(SYS_chown, 0x20002ff8ul, 0x1ul, 0xfffffffffffffffful); long r7 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r8 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r9 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r10 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); *(uint64_t*)0x20000fdd = 0x20000000; *(uint64_t*)0x20000fe5 = 0x1000; *(uint64_t*)0x20000fed = 0x20000000; *(uint64_t*)0x20000ff5 = 0xab; *(uint64_t*)0x20000ffd = 0x20000000; *(uint64_t*)0x20001005 = 0x73; *(uint64_t*)0x2000100d = 0x20000fd4; *(uint64_t*)0x20001015 = 0x2c; long r23 = syscall(SYS_writev, 0x1869ful, 0x20000fddul, 0x4ul); long r24 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); long r25 = syscall(SYS_ftruncate, r2, 0x2ul); long r26 = syscall(SYS_lseek, r2, 0x0ul, 0x2ul); *(uint64_t*)0x20000ff8 = 0x0; long r28 = syscall(SYS_sendfile, r2, r2, 0x20000ff8ul, 0xffffffful); return 0; } /proc/self/stack shows: [] jbd2_log_wait_commit+0x95/0x110 fs/jbd2/journal.c:706 (discriminator 2) [] jbd2_complete_transaction+0x52/0x90 fs/jbd2/journal.c:744 [] ext4_sync_file+0x254/0x2e0 fs/ext4/fsync.c:141 [] vfs_fsync_range+0x36/0xa0 fs/sync.c:190 [< inline >] generic_write_sync include/linux/fs.h:2442 [] ext4_file_write_iter+0x13f/0x340 fs/ext4/file.c:177 [] vfs_iter_write+0x61/0x90 fs/read_write.c:364 [] iter_file_splice_write+0x1dd/0x370 fs/splice.c:1012 [< inline >] do_splice_from fs/splice.c:1116 [] direct_splice_actor+0x31/0x40 fs/splice.c:1282 [] splice_direct_to_actor+0x90/0x1f0 fs/splice.c:1235 [] do_splice_direct+0x77/0xa0 fs/splice.c:1325 [] do_sendfile+0x198/0x380 fs/read_write.c:1227 [< inline >] SYSC_sendfile64 fs/read_write.c:1282 [] SyS_sendfile64+0x4a/0x90 fs/read_write.c:1274 [] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185 On commit dd36d7393d6310b0c1adefb22fba79c3cf8a577c (git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git) Found with syzkaller fuzzer.