[syzbot] [bluetooth?] possible deadlock in hci_dev_do_close

[syzbot] [bluetooth?] possible deadlock in hci_dev_do_close

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    940fcc189c51 Add linux-next specific files for 20230921
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=127d4f64680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f140ae6e669ac24
dashboard link: https://syzkaller.appspot.com/bug?extid=4e3a76c5c505a3f49083
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1081124a680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10cfe14a680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b8921b235c24/disk-940fcc18.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c80a9f6bcdd4/vmlinux-940fcc18.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ed10a4df6950/bzImage-940fcc18.xz

The issue was bisected to:

commit 091e25d6b54992d1d702ae91cbac139d4c243251
Author: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Date:   Wed Sep 20 15:30:07 2023 +0000

    Bluetooth: vhci: Fix race when opening vhci device

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1326e53c680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10a6e53c680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1726e53c680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e3a76c5c505a3f49083@syzkaller.appspotmail.com
Fixes: 091e25d6b549 ("Bluetooth: vhci: Fix race when opening vhci device")

======================================================
WARNING: possible circular locking dependency detected
6.6.0-rc2-next-20230921-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor126/5053 is trying to acquire lock:
ffff88807df1cdc0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 kernel/workqueue.c:3403

but task is already holding lock:
ffff88807df1d0b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&hdev->req_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
       hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552
       hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
       rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
       rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
       vfs_write+0x2a4/0xe40 fs/read_write.c:582
       ksys_write+0x1f0/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #2 (rfkill_global_mutex){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
       rfkill_register+0x3a/0xb30 net/rfkill/core.c:1075
       hci_register_dev+0x43a/0xd40 net/bluetooth/hci_core.c:2656
       __vhci_create_device+0x393/0x800 drivers/bluetooth/hci_vhci.c:437
       vhci_create_device drivers/bluetooth/hci_vhci.c:478 [inline]
       vhci_get_user drivers/bluetooth/hci_vhci.c:535 [inline]
       vhci_write+0x2c7/0x470 drivers/bluetooth/hci_vhci.c:615
       call_write_iter include/linux/fs.h:1957 [inline]
       new_sync_write fs/read_write.c:491 [inline]
       vfs_write+0x650/0xe40 fs/read_write.c:584
       ksys_write+0x12f/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #1 (&data->open_mutex){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
       vhci_send_frame+0x67/0xa0 drivers/bluetooth/hci_vhci.c:78
       hci_send_frame+0x220/0x470 net/bluetooth/hci_core.c:3039
       hci_sched_acl_pkt net/bluetooth/hci_core.c:3651 [inline]
       hci_sched_acl net/bluetooth/hci_core.c:3736 [inline]
       hci_tx_work+0x1456/0x1e40 net/bluetooth/hci_core.c:3835
       process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
       process_scheduled_works kernel/workqueue.c:2703 [inline]
       worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
       kthread+0x33c/0x440 kernel/kthread.c:388
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

-> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
       lock_acquire kernel/locking/lockdep.c:5753 [inline]
       lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
       __flush_work+0x103/0xa10 kernel/workqueue.c:3403
       hci_dev_close_sync+0x22d/0x1160 net/bluetooth/hci_sync.c:4982
       hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:554
       hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
       rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
       rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
       vfs_write+0x2a4/0xe40 fs/read_write.c:582
       ksys_write+0x1f0/0x250 fs/read_write.c:637
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

Chain exists of:
  (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&hdev->req_lock);
                               lock(rfkill_global_mutex);
                               lock(&hdev->req_lock);
  lock((work_completion)(&hdev->tx_work));

 *** DEADLOCK ***

2 locks held by syz-executor126/5053:
 #0: ffffffff8ea842a8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 net/rfkill/core.c:1298
 #1: ffff88807df1d0b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552

stack backtrace:
CPU: 1 PID: 5053 Comm: syz-executor126 Not tainted 6.6.0-rc2-next-20230921-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 check_noncircular+0x311/0x3f0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
 __flush_work+0x103/0xa10 kernel/workqueue.c:3403
 hci_dev_close_sync+0x22d/0x1160 net/bluetooth/hci_sync.c:4982
 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:554
 hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
 rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
 rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
 vfs_write+0x2a4/0xe40 fs/read_write.c:582
 ksys_write+0x1f0/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8297388479
Code: 48 83 c4 28 c3 e8 e7 18 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9ef0d068 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f82973df043 RCX: 00007f8297388479
RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007ffc9ef0d0b0 R08: 000000ff00ffa650 R09: 000000ff00ffa650
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc9ef0d098
R13: 00007f829740c5b0 R14: 0000000000000000 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] Re: possible deadlock in hci_dev_do_close

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: possible deadlock in hci_dev_do_close
Author: pchelkin@ispras.ru

#syz dup: possible deadlock in hci_rfkill_set_block

[syzbot] [net?] possible deadlock in gtp_encap_enable_socket

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9410645520e9 Merge tag 'net-next-6.12' of git://git.kernel..
git tree:       net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15d39e9f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=37c006d80708398d
dashboard link: https://syzkaller.appspot.com/bug?extid=e953a8f3071f5c0a28fd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16215ca9980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=110c6c27980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/80466d230dfb/disk-94106455.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba253eabab42/vmlinux-94106455.xz
kernel image: https://storage.googleapis.com/syzbot-assets/569982fb6c88/bzImage-94106455.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e953a8f3071f5c0a28fd@syzkaller.appspotmail.com

IPVS: Unknown mcast interface: macvlan0
netlink: 8 bytes leftover after parsing attributes in process `syz-executor297'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor297'.
======================================================
WARNING: possible circular locking dependency detected
6.11.0-syzkaller-01458-g9410645520e9 #0 Not tainted
------------------------------------------------------
syz-executor297/5243 is trying to acquire lock:
ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1609 [inline]
ffff88801cf99158 (sk_lock-AF_INET){+.+.}-{0:0}, at: gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674

but task is already holding lock:
ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (rtnl_mutex){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       start_sync_thread+0xdc/0x2dc0 net/netfilter/ipvs/ip_vs_sync.c:1761
       do_ip_vs_set_ctl+0x442/0x13d0 net/netfilter/ipvs/ip_vs_ctl.c:2732
       nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101
       smc_setsockopt+0x275/0xe50 net/smc/af_smc.c:3064
       do_sock_setsockopt+0x3af/0x720 net/socket.c:2330
       __sys_setsockopt+0x1ae/0x250 net/socket.c:2353
       __do_sys_setsockopt net/socket.c:2362 [inline]
       __se_sys_setsockopt net/socket.c:2359 [inline]
       __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2359
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&smc->clcsock_release_lock){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       smc_switch_to_fallback+0x35/0xdb0 net/smc/af_smc.c:902
       smc_sendmsg+0x11f/0x530 net/smc/af_smc.c:2771
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
       ___sys_sendmsg net/socket.c:2657 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (sk_lock-AF_INET){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
       __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       lock_sock_nested+0x48/0x100 net/core/sock.c:3611
       lock_sock include/net/sock.h:1609 [inline]
       gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
       gtp_encap_enable drivers/net/gtp.c:1707 [inline]
       gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
       rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
       __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
       rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
       rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
       netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
       netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
       netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
       netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
       ___sys_sendmsg net/socket.c:2657 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  sk_lock-AF_INET --> &smc->clcsock_release_lock --> rtnl_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(rtnl_mutex);
                               lock(&smc->clcsock_release_lock);
                               lock(rtnl_mutex);
  lock(sk_lock-AF_INET);

 *** DEADLOCK ***

1 lock held by syz-executor297/5243:
 #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #0: ffffffff8fc88588 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x6e6/0xcf0 net/core/rtnetlink.c:6643

stack backtrace:
CPU: 0 UID: 0 PID: 5243 Comm: syz-executor297 Not tainted 6.11.0-syzkaller-01458-g9410645520e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2186
 check_prev_add kernel/locking/lockdep.c:3133 [inline]
 check_prevs_add kernel/locking/lockdep.c:3252 [inline]
 validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
 lock_sock_nested+0x48/0x100 net/core/sock.c:3611
 lock_sock include/net/sock.h:1609 [inline]
 gtp_encap_enable_socket+0x2ce/0x5c0 drivers/net/gtp.c:1674
 gtp_encap_enable drivers/net/gtp.c:1707 [inline]
 gtp_newlink+0x589/0xf30 drivers/net/gtp.c:1511
 rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3730 [inline]
 rtnl_newlink+0x1591/0x20a0 net/core/rtnetlink.c:3743
 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6646
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2603
 ___sys_sendmsg net/socket.c:2657 [inline]
 __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2686
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fed198844a9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RS


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: danielyangkang@gmail.com

#syz test

[syzbot] [net?] KMSAN: kernel-infoleak in move_addr_to_user (7)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=172c4107980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=547de13ee0a4d284
dashboard link: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d7c19f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c81c27980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d83fc781c223/disk-88264981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ed4c5969fba/vmlinux-88264981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/76a67bd894be/bzImage-88264981.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+346474e3bf0b26bd3090@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _inline_copy_to_user include/linux/uaccess.h:180 [inline]
 _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:209 [inline]
 move_addr_to_user+0x28b/0x400 net/socket.c:292
 ____sys_recvmsg+0x232/0x620 net/socket.c:2829
 ___sys_recvmsg+0x223/0x840 net/socket.c:2864
 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958
 __sys_recvmmsg net/socket.c:3037 [inline]
 __do_sys_recvmmsg net/socket.c:3060 [inline]
 __se_sys_recvmmsg net/socket.c:3053 [inline]
 __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053
 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 packet_recvmsg+0x176a/0x2500 net/packet/af_packet.c:3585
 sock_recvmsg_nosec+0x22f/0x2b0 net/socket.c:1052
 ____sys_recvmsg+0x541/0x620 net/socket.c:2820
 ___sys_recvmsg+0x223/0x840 net/socket.c:2864
 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958
 __sys_recvmmsg net/socket.c:3037 [inline]
 __do_sys_recvmmsg net/socket.c:3060 [inline]
 __se_sys_recvmmsg net/socket.c:3053 [inline]
 __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053
 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 eth_header_parse+0xb8/0x110 net/ethernet/eth.c:204
 dev_parse_header include/linux/netdevice.h:3158 [inline]
 packet_rcv+0xefc/0x2050 net/packet/af_packet.c:2253
 dev_queue_xmit_nit+0x114b/0x12a0 net/core/dev.c:2347
 xmit_one net/core/dev.c:3584 [inline]
 dev_hard_start_xmit+0x17d/0xa20 net/core/dev.c:3604
 __dev_queue_xmit+0x3576/0x55e0 net/core/dev.c:4424
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 __bpf_tx_skb net/core/filter.c:2152 [inline]
 __bpf_redirect_common net/core/filter.c:2196 [inline]
 __bpf_redirect+0x148c/0x1610 net/core/filter.c:2203
 ____bpf_clone_redirect net/core/filter.c:2475 [inline]
 bpf_clone_redirect+0x37e/0x500 net/core/filter.c:2447
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010
 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735
 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5822 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822
 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4092 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
 pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275
 skb_ensure_writable+0x496/0x520 net/core/skbuff.c:6214
 __bpf_try_make_writable net/core/filter.c:1677 [inline]
 bpf_try_make_writable net/core/filter.c:1683 [inline]
 bpf_try_make_head_writable net/core/filter.c:1691 [inline]
 ____bpf_clone_redirect net/core/filter.c:2469 [inline]
 bpf_clone_redirect+0x1c5/0x500 net/core/filter.c:2447
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010
 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735
 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5822 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822
 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 12-17 of 20 are uninitialized
Memory access of size 20 starts at ffff88812112fa48
Data copied to user address 0000000020000ac0

CPU: 0 UID: 0 PID: 5234 Comm: syz-executor312 Not tainted 6.11.0-syzkaller-08481-g88264981f208 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: danielyangkang@gmail.com

#syz test

[syzbot] [ntfs3?] UBSAN: array-index-out-of-bounds in decompress_lznt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f4345f05c0df Merge tag 'block-6.9-20240510' of git://git.k..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15035598980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9d7ea7de0cb32587
dashboard link: https://syzkaller.appspot.com/bug?extid=39b2fb0f2638669008ec
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16375db8980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16ef17a8980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eab3aead3b47/disk-f4345f05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64d327c02024/vmlinux-f4345f05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0191e269a6fd/bzImage-f4345f05.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/293e623536d7/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/165c0c1a16ff/mount_1.gz

The issue was bisected to:

commit d68968440b1a75dee05cfac7f368f1aa139e1911
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Mon Jan 29 07:30:09 2024 +0000

    fs/ntfs3: Update inode->i_size after success write into compressed file

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13472020980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10c72020980000
console output: https://syzkaller.appspot.com/x/log.txt?x=17472020980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
Fixes: d68968440b1a ("fs/ntfs3: Update inode->i_size after success write into compressed file")

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ntfs3/lznt.c:240:16
index 9 is out of range for type 'const size_t[9]' (aka 'const unsigned long[9]')
CPU: 1 PID: 5072 Comm: syz-executor335 Not tainted 6.9.0-rc7-syzkaller-00136-gf4345f05c0df #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 decompress_chunk fs/ntfs3/lznt.c:240 [inline]
 decompress_lznt+0x229/0xd50 fs/ntfs3/lznt.c:387
 ni_read_frame+0x1633/0x1c50 fs/ntfs3/frecord.c:2684
 ni_readpage_cmpr+0x38b/0xa60 fs/ntfs3/frecord.c:2143
 ntfs_read_folio+0x19e/0x210 fs/ntfs3/inode.c:725
 filemap_read_folio+0x1a0/0x790 mm/filemap.c:2331
 filemap_update_page mm/filemap.c:2415 [inline]
 filemap_get_pages+0x15a9/0x2090 mm/filemap.c:2529
 filemap_read+0x457/0xfa0 mm/filemap.c:2601
 __kernel_read+0x5c8/0xab0 fs/read_write.c:434
 integrity_kernel_read+0xb0/0x100 security/integrity/iint.c:28
 ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
 ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
 ima_calc_file_hash+0xadb/0x1b30 security/integrity/ima/ima_crypto.c:573
 ima_collect_measurement+0x535/0xa90 security/integrity/ima/ima_api.c:291
 process_measurement+0x13ac/0x1f60 security/integrity/ima/ima_main.c:359
 ima_file_check+0xf2/0x170 security/integrity/ima/ima_main.c:559
 security_file_post_open+0x6d/0xa0 security/security.c:2981
 do_open fs/namei.c:3644 [inline]
 path_openat+0x28b7/0x3240 fs/namei.c:3799
 do_filp_open+0x235/0x490 fs/namei.c:3826
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1406
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_open fs/open.c:1429 [inline]
 __se_sys_open fs/open.c:1425 [inline]
 __x64_sys_open+0x225/0x270 fs/open.c:1425
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbd0c2059b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa3c72cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fffa3c72ea8 RCX: 00007fbd0c2059b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000180
RBP: 00007fbd0c298610 R08: 00007fffa3c72ea8 R09: 00007fffa3c72ea8
R10: 00007fffa3c72ea8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffa3c72e98 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [mm?] INFO: rcu detected stall in validate_mm (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    dccb07f2914c Merge tag 'for-6.9-rc7-tag' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6734c980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7144b4fe7fbf5900
dashboard link: https://syzkaller.appspot.com/bug?extid=a941018a091f1a1f9546
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10306760980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=138c8970980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e1fea5a49470/disk-dccb07f2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5f7d53577fef/vmlinux-dccb07f2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/430b18473a18/bzImage-dccb07f2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a941018a091f1a1f9546@syzkaller.appspotmail.com

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P17678/1:b..l
rcu: 	(detected by 1, t=10502 jiffies, g=36541, q=38 ncpus=2)
task:syz-executor952 state:R  running task     stack:28968 pid:17678 tgid:17678 ppid:5114   flags:0x00000002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5409 [inline]
 __schedule+0xf15/0x5d00 kernel/sched/core.c:6746
 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7068
 irqentry_exit+0x36/0x90 kernel/entry/common.c:354
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:88 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:122 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xc7/0x1a0 mm/kasan/generic.c:189
Code: 83 c0 08 48 39 d0 0f 84 be 00 00 00 48 83 38 00 74 ed 48 8d 50 08 eb 0d 48 83 c0 01 48 39 c2 0f 84 8d 00 00 00 80 38 00 74 ee <48> 89 c2 b8 01 00 00 00 48 85 d2 74 1e 41 83 e2 07 49 39 d1 75 0a
RSP: 0018:ffffc900031ef850 EFLAGS: 00000202
RAX: fffffbfff2949b78 RBX: fffffbfff2949b79 RCX: ffffffff8ac92249
RDX: fffffbfff2949b79 RSI: 0000000000000004 RDI: ffffffff94a4dbc0
RBP: fffffbfff2949b78 R08: 0000000000000001 R09: fffffbfff2949b78
R10: ffffffff94a4dbc3 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000300 R15: 0000000000000000
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:435 [inline]
 mt_validate_nulls+0x5e9/0x9e0 lib/maple_tree.c:7550
 mt_validate+0x3148/0x4390 lib/maple_tree.c:7599
 validate_mm+0x9c/0x4b0 mm/mmap.c:288
 mmap_region+0x1478/0x2760 mm/mmap.c:2934
 do_mmap+0x8ae/0xf10 mm/mmap.c:1385
 vm_mmap_pgoff+0x1ab/0x3c0 mm/util.c:573
 ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1431
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f305228c143
RSP: 002b:00007ffdd7b4fc18 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: fffffffffffff000 RCX: 00007f305228c143
RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffdd7b4fe70
R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
 </TASK>
rcu: rcu_preempt kthread starved for 10533 jiffies! g36541 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:28736 pid:16    tgid:16    ppid:2      flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5409 [inline]
 __schedule+0xf15/0x5d00 kernel/sched/core.c:6746
 __schedule_loop kernel/sched/core.c:6823 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6838
 schedule_timeout+0x136/0x2a0 kernel/time/timer.c:2582
 rcu_gp_fqs_loop+0x1eb/0xb00 kernel/rcu/tree.c:1663
 rcu_gp_kthread+0x271/0x380 kernel/rcu/tree.c:1862
 kthread+0x2c1/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 1 PID: 17676 Comm: syz-executor952 Not tainted 6.9.0-rc7-syzkaller-00012-gdccb07f2914c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:202
Code: 90 f3 0f 1e fa 53 48 8b 74 24 08 48 89 fb 48 83 c7 18 e8 6a 98 8c f6 48 89 df e8 c2 14 8d f6 e8 ed 98 b5 f6 fb bf 01 00 00 00 <e8> b2 4f 7e f6 65 8b 05 b3 88 24 75 85 c0 74 06 5b c3 cc cc cc cc
RSP: 0018:ffffc9000321fcf0 EFLAGS: 00000202
RAX: 0000000003959e61 RBX: ffff88801c3d0940 RCX: 1ffffffff1f3e279
RDX: 0000000000000000 RSI: ffffffff8b0cae00 RDI: 0000000000000001
RBP: ffff88801c3d0d40 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8f9f5657 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000021 R14: ffff88801c3d0940 R15: ffff88801c3d0940
FS:  00007f305221e6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f305221de40 CR3: 000000002dcec000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 </IRQ>
 <TASK>
 spin_unlock_irq include/linux/spinlock.h:401 [inline]
 get_signal+0x1e3e/0x2710 kernel/signal.c:2914
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xdc/0x260 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f305228c107
Code: 14 25 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 <0f> 05 48 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89
RSP: 002b:00007f305221e238 EFLAGS: 00000246
RAX: 00000000000000ca RBX: 00007f305230f318 RCX: 00007f305228c109
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f305230f318
RBP: 00007f305230f310 R08: 00007f305221e6c0 R09: 00007f305221e6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f30522dc278
R13: 000000000000006e R14: 00007ffdd7b4fb90 R15: 00007ffdd7b4fc78
 </TASK>
sched: RT throttling activated


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: radoslaw.zielonek@gmail.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git dccb07f2914cdab2ac3a5b6c98406f765acab803

---
 include/linux/sched.h |  7 +++++++
 kernel/sched/core.c   |  1 +
 kernel/sched/rt.c     | 26 +++++++++++++++++++++++---
 kernel/signal.c       |  9 +++++++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 17cb0761ff65..123bc16ad3d0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1121,6 +1121,13 @@ struct task_struct {
 	size_t				sas_ss_size;
 	unsigned int			sas_ss_flags;
 
+	/*
+	 * Number of signals received by an RT task between scheduling ticks.
+	 * This counter is used to throttle RT tasks when too many signals
+	 * (e.g., POSIX timers) are sent to the task, which can cause an RCU stall.
+	 */
+	atomic_t rt_signals_recv_count; /* used outside of the rq lock */
+
 	struct callback_head		*task_works;
 
 #ifdef CONFIG_AUDIT
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index d44efa0d0611..9def826bd35f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4779,6 +4779,7 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p)
 			p->policy = SCHED_NORMAL;
 			p->static_prio = NICE_TO_PRIO(0);
 			p->rt_priority = 0;
+			atomic_set(&p->rt_signals_recv_count, 0);
 		} else if (PRIO_TO_NICE(p->static_prio) < 0)
 			p->static_prio = NICE_TO_PRIO(0);
 
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 3261b067b67e..9b22d67d1746 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -24,6 +24,15 @@ int sysctl_sched_rt_period = 1000000;
  */
 int sysctl_sched_rt_runtime = 950000;
 
+/*
+ * To avoid an RCU stall due to a large number of signals received by RT tasks
+ * (e.g., POSIX timers), the RT task needs to be throttled.
+ * When the number of signals received by an RT task during a scheduling
+ * tick period exceeds the threshold, the RT task will be throttled.
+ * The value of 100 has not been thoroughly tested and may need adjustment.
+ */
+#define RT_RECV_SGINAL_THROTTLE_THRESHOLD 100
+
 #ifdef CONFIG_SYSCTL
 static int sysctl_sched_rr_timeslice = (MSEC_PER_SEC * RR_TIMESLICE) / HZ;
 static int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
@@ -951,7 +960,7 @@ static inline int rt_se_prio(struct sched_rt_entity *rt_se)
 	return rt_task_of(rt_se)->prio;
 }
 
-static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
+static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq, int rt_signal_recv)
 {
 	u64 runtime = sched_rt_runtime(rt_rq);
 
@@ -966,7 +975,15 @@ static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
 	if (runtime == RUNTIME_INF)
 		return 0;
 
-	if (rt_rq->rt_time > runtime) {
+	/*
+	 * When a large number of signals are sent to this task (e.g., POSIX timers)
+	 * the delta time deviates significantly from real time due to the overhead
+	 * of handling signals. For RT tasks, this can cause an RCU stall.
+	 * To avoid this, throttle the task when the number of signals received
+	 * exceeds a certain threshold.
+	 */
+	if (rt_rq->rt_time > runtime ||
+		rt_signal_recv >= RT_RECV_SGINAL_THROTTLE_THRESHOLD) {
 		struct rt_bandwidth *rt_b = sched_rt_bandwidth(rt_rq);
 
 		/*
@@ -1021,7 +1038,9 @@ static void update_curr_rt(struct rq *rq)
 		if (sched_rt_runtime(rt_rq) != RUNTIME_INF) {
 			raw_spin_lock(&rt_rq->rt_runtime_lock);
 			rt_rq->rt_time += delta_exec;
-			exceeded = sched_rt_runtime_exceeded(rt_rq);
+			exceeded = sched_rt_runtime_exceeded(
+						rt_rq,
+						atomic_read(&curr->rt_signals_recv_count));
 			if (exceeded)
 				resched_curr(rq);
 			raw_spin_unlock(&rt_rq->rt_runtime_lock);
@@ -1029,6 +1048,7 @@ static void update_curr_rt(struct rq *rq)
 				do_start_rt_bandwidth(sched_rt_bandwidth(rt_rq));
 		}
 	}
+	atomic_set(&curr->rt_signals_recv_count, 0);
 }
 
 static void
diff --git a/kernel/signal.c b/kernel/signal.c
index bdca529f0f7b..d58e0ba9336c 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -629,6 +629,15 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask,
 	bool resched_timer = false;
 	int signr;
 
+	/*
+	 * To prevent an RCU stall due to receiving too many signals by RT tasks,
+	 * count all signals regardless of their type.
+	 * Based on this counter, the RT scheduler will decide whether the task
+	 * should be throttled or not.
+	 */
+	if (tsk->policy == SCHED_FIFO || tsk->policy == SCHED_RR)
+		atomic_inc(&tsk->rt_signals_recv_count);
+
 	/* We only dequeue private signals from ourselves, we don't let
 	 * signalfd steal them
 	 */
-- 
2.43.0

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: radoslaw.zielonek@gmail.com

#syz test 

---
 include/linux/sched.h |  7 +++++++
 kernel/sched/core.c   |  1 +
 kernel/sched/rt.c     | 26 +++++++++++++++++++++++---
 kernel/signal.c       |  9 +++++++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 17cb0761ff65..123bc16ad3d0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1121,6 +1121,13 @@ struct task_struct {
 	size_t				sas_ss_size;
 	unsigned int			sas_ss_flags;
 
+	/*
+	 * Number of signals received by an RT task between scheduling ticks.
+	 * This counter is used to throttle RT tasks when too many signals
+	 * (e.g., POSIX timers) are sent to the task, which can cause an RCU stall.
+	 */
+	atomic_t rt_signals_recv_count; /* used outside of the rq lock */
+
 	struct callback_head		*task_works;
 
 #ifdef CONFIG_AUDIT
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index d44efa0d0611..9def826bd35f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4779,6 +4779,7 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p)
 			p->policy = SCHED_NORMAL;
 			p->static_prio = NICE_TO_PRIO(0);
 			p->rt_priority = 0;
+			atomic_set(&p->rt_signals_recv_count, 0);
 		} else if (PRIO_TO_NICE(p->static_prio) < 0)
 			p->static_prio = NICE_TO_PRIO(0);
 
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 3261b067b67e..9b22d67d1746 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -24,6 +24,15 @@ int sysctl_sched_rt_period = 1000000;
  */
 int sysctl_sched_rt_runtime = 950000;
 
+/*
+ * To avoid an RCU stall due to a large number of signals received by RT tasks
+ * (e.g., POSIX timers), the RT task needs to be throttled.
+ * When the number of signals received by an RT task during a scheduling
+ * tick period exceeds the threshold, the RT task will be throttled.
+ * The value of 100 has not been thoroughly tested and may need adjustment.
+ */
+#define RT_RECV_SGINAL_THROTTLE_THRESHOLD 100
+
 #ifdef CONFIG_SYSCTL
 static int sysctl_sched_rr_timeslice = (MSEC_PER_SEC * RR_TIMESLICE) / HZ;
 static int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
@@ -951,7 +960,7 @@ static inline int rt_se_prio(struct sched_rt_entity *rt_se)
 	return rt_task_of(rt_se)->prio;
 }
 
-static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
+static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq, int rt_signal_recv)
 {
 	u64 runtime = sched_rt_runtime(rt_rq);
 
@@ -966,7 +975,15 @@ static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
 	if (runtime == RUNTIME_INF)
 		return 0;
 
-	if (rt_rq->rt_time > runtime) {
+	/*
+	 * When a large number of signals are sent to this task (e.g., POSIX timers)
+	 * the delta time deviates significantly from real time due to the overhead
+	 * of handling signals. For RT tasks, this can cause an RCU stall.
+	 * To avoid this, throttle the task when the number of signals received
+	 * exceeds a certain threshold.
+	 */
+	if (rt_rq->rt_time > runtime ||
+		rt_signal_recv >= RT_RECV_SGINAL_THROTTLE_THRESHOLD) {
 		struct rt_bandwidth *rt_b = sched_rt_bandwidth(rt_rq);
 
 		/*
@@ -1021,7 +1038,9 @@ static void update_curr_rt(struct rq *rq)
 		if (sched_rt_runtime(rt_rq) != RUNTIME_INF) {
 			raw_spin_lock(&rt_rq->rt_runtime_lock);
 			rt_rq->rt_time += delta_exec;
-			exceeded = sched_rt_runtime_exceeded(rt_rq);
+			exceeded = sched_rt_runtime_exceeded(
+						rt_rq,
+						atomic_read(&curr->rt_signals_recv_count));
 			if (exceeded)
 				resched_curr(rq);
 			raw_spin_unlock(&rt_rq->rt_runtime_lock);
@@ -1029,6 +1048,7 @@ static void update_curr_rt(struct rq *rq)
 				do_start_rt_bandwidth(sched_rt_bandwidth(rt_rq));
 		}
 	}
+	atomic_set(&curr->rt_signals_recv_count, 0);
 }
 
 static void
diff --git a/kernel/signal.c b/kernel/signal.c
index bdca529f0f7b..d58e0ba9336c 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -629,6 +629,15 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask,
 	bool resched_timer = false;
 	int signr;
 
+	/*
+	 * To prevent an RCU stall due to receiving too many signals by RT tasks,
+	 * count all signals regardless of their type.
+	 * Based on this counter, the RT scheduler will decide whether the task
+	 * should be throttled or not.
+	 */
+	if (tsk->policy == SCHED_FIFO || tsk->policy == SCHED_RR)
+		atomic_inc(&tsk->rt_signals_recv_count);
+
 	/* We only dequeue private signals from ourselves, we don't let
 	 * signalfd steal them
 	 */
-- 
2.43.0

[syzbot] [input?] WARNING in bcm5974_start_traffic/usb_submit_urb (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    fec50db7033e Linux 6.9-rc3
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14439bd3180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=560f5db1d0b3f6d0
dashboard link: https://syzkaller.appspot.com/bug?extid=b064b5599f18f7ebb1e1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11c2c5bd180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13cbbf5b180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ab4d6cae2eca/disk-fec50db7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b67542cc5860/vmlinux-fec50db7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3eeebb470b79/Image-fec50db7.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b064b5599f18f7ebb1e1@syzkaller.appspotmail.com

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 6237 at drivers/usb/core/urb.c:504 usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 0 PID: 6237 Comm: udevd Not tainted 6.9.0-rc3-syzkaller-gfec50db7033e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
lr : usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
sp : ffff80009f8b73b0
x29: ffff80009f8b73f0 x28: ffff0000d4fee000 x27: 0000000000000001
x26: ffff80008c6919e8 x25: ffff0000c8bd1fe0 x24: ffff0000c1d45a50
x23: ffff80008c698500 x22: dfff800000000000 x21: 0000000000000002
x20: 0000000000000cc0 x19: ffff0000c1d45a00 x18: 0000000000000008
x17: 0000000000000000 x16: ffff80008ae6d1bc x15: 0000000000000001
x14: 1fffe000367b9a02 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000002 x10: 0000000000ff0100 x9 : b1573c5f9bab7600
x8 : b1573c5f9bab7600 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009f8b6b18 x4 : ffff80008ef65000 x3 : ffff8000805e9200
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
 usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
 bcm5974_start_traffic+0xe0/0x154 drivers/input/mouse/bcm5974.c:799
 bcm5974_open+0x98/0x134 drivers/input/mouse/bcm5974.c:839
 input_open_device+0x170/0x29c drivers/input/input.c:654
 evdev_open_device drivers/input/evdev.c:400 [inline]
 evdev_open+0x308/0x4b4 drivers/input/evdev.c:487
 chrdev_open+0x3c8/0x4dc fs/char_dev.c:414
 do_dentry_open+0x778/0x12b4 fs/open.c:955
 vfs_open+0x7c/0x90 fs/open.c:1089
 do_open fs/namei.c:3642 [inline]
 path_openat+0x1f6c/0x2830 fs/namei.c:3799
 do_filp_open+0x1bc/0x3cc fs/namei.c:3826
 do_sys_openat2+0x124/0x1b8 fs/open.c:1406
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __arm64_sys_openat+0x1f0/0x240 fs/open.c:1432
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 5626
hardirqs last  enabled at (5625): [<ffff8000803749b0>] __up_console_sem kernel/printk/printk.c:341 [inline]
hardirqs last  enabled at (5625): [<ffff8000803749b0>] __console_unlock kernel/printk/printk.c:2731 [inline]
hardirqs last  enabled at (5625): [<ffff8000803749b0>] console_unlock+0x17c/0x3d4 kernel/printk/printk.c:3050
hardirqs last disabled at (5626): [<ffff80008ae68608>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last  enabled at (2362): [<ffff800080031848>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2360): [<ffff800080031814>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bluetooth?] WARNING in hci_conn_set_handle

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    480e035fc4c7 Merge tag 'drm-next-2024-03-13' of https://gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=138825a1180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1e5b814e91787669
dashboard link: https://syzkaller.appspot.com/bug?extid=d6282a21a27259b5f7e7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f3e213180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=162d4723180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f73b6ef963d/disk-480e035f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/46c949396aad/vmlinux-480e035f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e3b4d0f5a5f8/bzImage-480e035f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6282a21a27259b5f7e7@syzkaller.appspotmail.com

------------[ cut here ]------------
ida_free called for id=8192 which is not allocated.
WARNING: CPU: 0 PID: 5073 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
Modules linked in:
CPU: 0 PID: 5073 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: hci0 hci_rx_work
RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
Code: 10 42 80 3c 28 00 74 05 e8 8d de 90 f6 48 8b 7c 24 40 4c 89 fe e8 c0 93 17 00 90 48 c7 c7 c0 e6 c6 8c 89 de e8 81 63 f0 f5 90 <0f> 0b 90 90 eb 3d e8 45 8f 2d f6 49 bd 00 00 00 00 00 fc ff df 4d
RSP: 0018:ffffc90003a0f780 EFLAGS: 00010246
RAX: d8e6756074d01200 RBX: 0000000000002000 RCX: ffff888022703c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003a0f880 R08: ffffffff8157cc12 R09: 1ffff92000741e90
R10: dffffc0000000000 R11: fffff52000741e91 R12: ffffc90003a0f7c0
R13: dffffc0000000000 R14: ffff88801fce00a0 R15: 0000000000000246
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78c634e9c3 CR3: 0000000078b22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 hci_conn_set_handle+0x193/0x270 net/bluetooth/hci_conn.c:1257
 hci_le_create_big_complete_evt+0x345/0xae0 net/bluetooth/hci_event.c:6924
 hci_event_func net/bluetooth/hci_event.c:7514 [inline]
 hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569
 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
 kthread+0x2f0/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [ntfs3?] WARNING in do_open_execat (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    707081b61156 Merge branch 'for-next/core', remote-tracking..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=106d6d15180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=caeac3f3565b057a
dashboard link: https://syzkaller.appspot.com/bug?extid=fe18c63ce101f2b358bb
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=156040bd180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=149d2ead180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cad68bf7532/disk-707081b6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a27e5400778/vmlinux-707081b6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/67dfc53755d0/Image-707081b6.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e198b7a8a7f2/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fe18c63ce101f2b358bb@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6164 at fs/exec.c:940 do_open_execat+0x2bc/0x3bc
Modules linked in:
CPU: 0 PID: 6164 Comm: syz-executor379 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : do_open_execat+0x2bc/0x3bc
lr : do_open_execat+0x2b8/0x3bc fs/exec.c:939
sp : ffff8000977a7b60
x29: ffff8000977a7bd0 x28: 0000000000000000 x27: ffff0000d609da2c
x26: 00000000ffffff9c x25: dfff800000000000 x24: ffff700012ef4f6c
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: fffffffffffffff3 x19: ffff0000d5ba0000 x18: ffff8000977a7100
x17: 000000000000c791 x16: ffff80008aca6dc0 x15: 0000000000000002
x14: 1ffff00012ef4f34 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700012ef4f36 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000d609da00 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000008000
Call trace:
 do_open_execat+0x2bc/0x3bc
 alloc_bprm+0x44/0x934 fs/exec.c:1541
 do_execveat_common+0x158/0x814 fs/exec.c:1935
 do_execveat fs/exec.c:2069 [inline]
 __do_sys_execveat fs/exec.c:2143 [inline]
 __se_sys_execveat fs/exec.c:2137 [inline]
 __arm64_sys_execveat+0xd0/0xec fs/exec.c:2137
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 24796
hardirqs last  enabled at (24795): [<ffff80008ae5ce28>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (24795): [<ffff80008ae5ce28>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (24796): [<ffff80008ad66988>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last  enabled at (24766): [<ffff80008002189c>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last  enabled at (24766): [<ffff80008002189c>] __do_softirq+0xac8/0xce4 kernel/softirq.c:582
softirqs last disabled at (24737): [<ffff80008002ab48>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [mm?] INFO: rcu detected stall in sys_clone (8)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f99c5f563c17 Merge tag 'nf-24-03-21' of git://git.kernel.o..
git tree:       net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12163769180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=c4c6c3dc10cc96bcf723
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=125d023a180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14a54006180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/65d3f3eb786e/disk-f99c5f56.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/799cf7f28ff8/vmlinux-f99c5f56.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab26c60c3845/bzImage-f99c5f56.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c4c6c3dc10cc96bcf723@syzkaller.appspotmail.com

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	1-...!: (1 ticks this GP) idle=f744/1/0x4000000000000000 softirq=6822/6822 fqs=0
rcu: 	(detected by 0, t=10503 jiffies, g=8373, q=658 ncpus=2)
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4736 Comm: dhcpcd Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:122 [inline]
RIP: 0010:lock_release+0x124/0x9d0 kernel/locking/lockdep.c:5767
Code: 00 65 48 8b 04 25 80 ce 03 00 48 89 44 24 18 48 8d 98 d4 0a 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 c3 05 00 00 <83> 3b 00 0f 85 f1 04 00 00 4c 8d b4 24 b0 00 00 00 4c 89 f3 48 c1
RSP: 0018:ffffc90000a08a60 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffff888018308ad4 RCX: ffffffff8171c080
RDX: 0000000000000000 RSI: ffffffff8bfec640 RDI: ffffffff8bfec600
RBP: ffffc90000a08b90 R08: ffffffff8f86ae6f R09: 1ffffffff1f0d5cd
R10: dffffc0000000000 R11: fffffbfff1f0d5ce R12: 1ffff92000141158
R13: ffffffff84ac5555 R14: ffffc90000a08bc0 R15: dffffc0000000000
FS:  00007f8e49f9b740(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8e4a140b10 CR3: 0000000028508000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:149 [inline]
 _raw_spin_unlock_irqrestore+0x79/0x140 kernel/locking/spinlock.c:194
 debug_object_deactivate+0x2d5/0x390 lib/debugobjects.c:778
 debug_hrtimer_deactivate kernel/time/hrtimer.c:428 [inline]
 debug_deactivate+0x1b/0x200 kernel/time/hrtimer.c:484
 __run_hrtimer kernel/time/hrtimer.c:1660 [inline]
 __hrtimer_run_queues+0x30f/0xd00 kernel/time/hrtimer.c:1756
 hrtimer_interrupt+0x396/0x990 kernel/time/hrtimer.c:1818
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x107/0x3a0 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:check_kcov_mode kernel/kcov.c:184 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_cmp8+0x35/0x90 kernel/kcov.c:284
Code: 0c 25 80 ce 03 00 65 8b 05 a0 db 6e 7e a9 00 01 ff 00 74 10 a9 00 01 00 00 74 57 83 b9 14 16 00 00 00 74 4e 8b 81 f0 15 00 00 <83> f8 03 75 43 48 8b 91 f8 15 00 00 44 8b 89 f4 15 00 00 49 c1 e1
RSP: 0018:ffffc900035ff500 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffff81000000 RCX: ffff888018308000
RDX: ffffc900035ff615 RSI: ffffffff81000000 RDI: ffffffff81ecc4e1
RBP: ffffffff81ecc4e1 R08: ffffffff81409149 R09: ffffc900035ff6d0
R10: 0000000000000003 R11: ffffffff8180dbc0 R12: ffffc900035ff5e0
R13: ffffc900035ff630 R14: dffffc0000000000 R15: ffffffff81ecc4e2
 orc_find arch/x86/kernel/unwind_orc.c:206 [inline]
 unwind_next_frame+0x1d9/0x2a00 arch/x86/kernel/unwind_orc.c:494
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x192/0x380 mm/slub.c:3903
 alloc_task_struct_node kernel/fork.c:176 [inline]
 dup_task_struct+0x57/0x7d0 kernel/fork.c:1106
 copy_process+0x5d1/0x3df0 kernel/fork.c:2219
 kernel_clone+0x21e/0x8d0 kernel/fork.c:2796
 __do_sys_clone kernel/fork.c:2939 [inline]
 __se_sys_clone kernel/fork.c:2923 [inline]
 __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f8e4a04ba12
Code: 41 5d 41 5e 41 5f c3 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 e7 43 0f 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff3d31e228 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00005624b41b1601 RCX: 00007f8e4a04ba12
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fff3d33e798 R08: 0000000000000000 R09: 00005624b41b15d0
R10: 00007f8e49f9ba10 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 00005624b41b1604
 </TASK>
rcu: rcu_preempt kthread timer wakeup didn't happen for 10502 jiffies! g8373 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402
rcu: 	Possible timer handling issue on cpu=1 timer-softirq=4283
rcu: rcu_preempt kthread starved for 10503 jiffies! g8373 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:I stack:24656 pid:16    tgid:16    ppid:2      flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5409 [inline]
 __schedule+0x17d3/0x4a20 kernel/sched/core.c:6736
 __schedule_loop kernel/sched/core.c:6813 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6828
 schedule_timeout+0x1be/0x310 kernel/time/timer.c:2572
 rcu_gp_fqs_loop+0x2df/0x1370 kernel/rcu/tree.c:1663
 rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:1862
 kthread+0x2f0/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: radoslaw.zielonek@gmail.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 71b1543c83d65af8215d7558d70fc2ecbee77dcf

---
 net/sched/sch_taprio.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index a0d54b422186..41add4a1d407 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -44,6 +44,8 @@ static struct static_key_false taprio_have_working_mqprio;
 	(TCA_TAPRIO_ATTR_FLAG_TXTIME_ASSIST | TCA_TAPRIO_ATTR_FLAG_FULL_OFFLOAD)
 #define TAPRIO_FLAGS_INVALID U32_MAX
 
+#define TAPRIO_MAX_NUM_SCHEDULES_BEFORE_NOW 10
+
 struct sched_entry {
 	/* Durations between this GCL entry and the GCL entry where the
 	 * respective traffic class gate closes
@@ -62,6 +64,8 @@ struct sched_entry {
 	u32 gate_mask;
 	u32 interval;
 	u8 command;
+	/* Used to skip some cycles to prevent other tasks from starving */
+	u8 num_schedules_before_now;
 };
 
 struct sched_gate_list {
@@ -111,6 +115,9 @@ struct __tc_taprio_qopt_offload {
 	struct tc_taprio_qopt_offload offload;
 };
 
+static void setup_txtime(struct taprio_sched *q,
+			 struct sched_gate_list *sched, ktime_t base);
+
 static void taprio_calculate_gate_durations(struct taprio_sched *q,
 					    struct sched_gate_list *sched)
 {
@@ -919,6 +926,7 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
 	struct sched_entry *entry, *next;
 	struct Qdisc *sch = q->root;
 	ktime_t end_time;
+	ktime_t basenow;
 	int tc;
 
 	spin_lock(&q->current_entry_lock);
@@ -977,6 +985,23 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
 	taprio_set_budgets(q, oper, next);
 
 first_run:
+	basenow = ktime_get();
+	if (ktime_before(end_time, basenow))
+	{
+		next->num_schedules_before_now++;
+		if (next->num_schedules_before_now >= TAPRIO_MAX_NUM_SCHEDULES_BEFORE_NOW)
+		{
+			end_time = ktime_add_ns(basenow, oper->cycle_time);
+			next->end_time = end_time;
+			next->num_schedules_before_now = 0;
+			setup_txtime(q, oper, basenow);
+		}
+	}
+	else
+	{
+		next->num_schedules_before_now = 0;
+	}
+
 	rcu_assign_pointer(q->current_entry, next);
 	spin_unlock(&q->current_entry_lock);
 
@@ -1074,6 +1099,7 @@ static int parse_sched_entry(struct taprio_sched *q, struct nlattr *n,
 	}
 
 	entry->index = index;
+	entry->num_schedules_before_now = 0;
 
 	return fill_sched_entry(q, tb, entry, extack);
 }
-- 
2.43.0

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: radoslaw.zielonek@gmail.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e25604716c03576d05ac8a5209743

---
 include/linux/sched.h |  7 +++++++
 kernel/sched/core.c   |  1 +
 kernel/sched/rt.c     | 26 +++++++++++++++++++++++---
 kernel/signal.c       |  9 +++++++++
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/include/linux/sched.h b/include/linux/sched.h
index 17cb0761ff65..123bc16ad3d0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1121,6 +1121,13 @@ struct task_struct {
 	size_t				sas_ss_size;
 	unsigned int			sas_ss_flags;
 
+	/*
+	 * Number of signals received by an RT task between scheduling ticks.
+	 * This counter is used to throttle RT tasks when too many signals
+	 * (e.g., POSIX timers) are sent to the task, which can cause an RCU stall.
+	 */
+	atomic_t rt_signals_recv_count; /* used outside of the rq lock */
+
 	struct callback_head		*task_works;
 
 #ifdef CONFIG_AUDIT
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index d44efa0d0611..9def826bd35f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4779,6 +4779,7 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p)
 			p->policy = SCHED_NORMAL;
 			p->static_prio = NICE_TO_PRIO(0);
 			p->rt_priority = 0;
+			atomic_set(&p->rt_signals_recv_count, 0);
 		} else if (PRIO_TO_NICE(p->static_prio) < 0)
 			p->static_prio = NICE_TO_PRIO(0);
 
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 3261b067b67e..9b22d67d1746 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -24,6 +24,15 @@ int sysctl_sched_rt_period = 1000000;
  */
 int sysctl_sched_rt_runtime = 950000;
 
+/*
+ * To avoid an RCU stall due to a large number of signals received by RT tasks
+ * (e.g., POSIX timers), the RT task needs to be throttled.
+ * When the number of signals received by an RT task during a scheduling
+ * tick period exceeds the threshold, the RT task will be throttled.
+ * The value of 100 has not been thoroughly tested and may need adjustment.
+ */
+#define RT_RECV_SGINAL_THROTTLE_THRESHOLD 100
+
 #ifdef CONFIG_SYSCTL
 static int sysctl_sched_rr_timeslice = (MSEC_PER_SEC * RR_TIMESLICE) / HZ;
 static int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
@@ -951,7 +960,7 @@ static inline int rt_se_prio(struct sched_rt_entity *rt_se)
 	return rt_task_of(rt_se)->prio;
 }
 
-static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
+static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq, int rt_signal_recv)
 {
 	u64 runtime = sched_rt_runtime(rt_rq);
 
@@ -966,7 +975,15 @@ static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
 	if (runtime == RUNTIME_INF)
 		return 0;
 
-	if (rt_rq->rt_time > runtime) {
+	/*
+	 * When a large number of signals are sent to this task (e.g., POSIX timers)
+	 * the delta time deviates significantly from real time due to the overhead
+	 * of handling signals. For RT tasks, this can cause an RCU stall.
+	 * To avoid this, throttle the task when the number of signals received
+	 * exceeds a certain threshold.
+	 */
+	if (rt_rq->rt_time > runtime ||
+		rt_signal_recv >= RT_RECV_SGINAL_THROTTLE_THRESHOLD) {
 		struct rt_bandwidth *rt_b = sched_rt_bandwidth(rt_rq);
 
 		/*
@@ -1021,7 +1038,9 @@ static void update_curr_rt(struct rq *rq)
 		if (sched_rt_runtime(rt_rq) != RUNTIME_INF) {
 			raw_spin_lock(&rt_rq->rt_runtime_lock);
 			rt_rq->rt_time += delta_exec;
-			exceeded = sched_rt_runtime_exceeded(rt_rq);
+			exceeded = sched_rt_runtime_exceeded(
+						rt_rq,
+						atomic_read(&curr->rt_signals_recv_count));
 			if (exceeded)
 				resched_curr(rq);
 			raw_spin_unlock(&rt_rq->rt_runtime_lock);
@@ -1029,6 +1048,7 @@ static void update_curr_rt(struct rq *rq)
 				do_start_rt_bandwidth(sched_rt_bandwidth(rt_rq));
 		}
 	}
+	atomic_set(&curr->rt_signals_recv_count, 0);
 }
 
 static void
diff --git a/kernel/signal.c b/kernel/signal.c
index bdca529f0f7b..d58e0ba9336c 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -629,6 +629,15 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask,
 	bool resched_timer = false;
 	int signr;
 
+	/*
+	 * To prevent an RCU stall due to receiving too many signals by RT tasks,
+	 * count all signals regardless of their type.
+	 * Based on this counter, the RT scheduler will decide whether the task
+	 * should be throttled or not.
+	 */
+	if (tsk->policy == SCHED_FIFO || tsk->policy == SCHED_RR)
+		atomic_inc(&tsk->rt_signals_recv_count);
+
 	/* We only dequeue private signals from ourselves, we don't let
 	 * signalfd steal them
 	 */
-- 
2.43.0

[syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [kvm?] WARNING in kvm_mmu_notifier_invalidate_range_start (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b57b17e88bf5 Merge tag 'parisc-for-6.7-rc1-2' of git://git..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14460084e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d950a2e2e34359e2
dashboard link: https://syzkaller.appspot.com/bug?extid=c74f40907a9c0479af10
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15785fc4e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1469c9a8e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f611e08f3538/disk-b57b17e8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/035697c78f4a/vmlinux-b57b17e8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fd2581edc0c/bzImage-b57b17e8.xz

Bisection is inconclusive: the first bad commit could be any of:

d61ea1cb0095 userfaultfd: UFFD_FEATURE_WP_ASYNC
52526ca7fdb9 fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1338e5a8e80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c74f40907a9c0479af10@syzkaller.appspotmail.com

kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5071 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 __kvm_handle_hva_range arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 [inline]
WARNING: CPU: 1 PID: 5071 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 kvm_mmu_notifier_invalidate_range_start+0x91b/0xa90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:811
Modules linked in:
CPU: 1 PID: 5071 Comm: syz-executor531 Not tainted 6.6.0-syzkaller-16201-gb57b17e88bf5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__kvm_handle_hva_range arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 [inline]
RIP: 0010:kvm_mmu_notifier_invalidate_range_start+0x91b/0xa90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:811
Code: 1b 8c 7e 00 45 84 e4 0f 85 9f f8 ff ff e8 dd 90 7e 00 0f 0b e9 93 f8 ff ff e8 d1 90 7e 00 0f 0b e9 d9 fd ff ff e8 c5 90 7e 00 <0f> 0b e9 e6 fc ff ff e8 b9 90 7e 00 0f 0b e9 a9 fc ff ff e8 ad 90
RSP: 0018:ffffc90003877ac8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000020ffc000 RCX: ffffffff810a0d7b
RDX: ffff88807e9d1dc0 RSI: ffffffff810a141b RDI: 0000000000000006
RBP: ffffc90003877d60 R08: 0000000000000006 R09: 0000000020ffc000
R10: 0000000020ffc000 R11: ffffffff916014f0 R12: ffffc900015aea30
R13: 0000000000000001 R14: 0000000020ffc000 R15: ffffc900015b7810
FS:  00005555562b2380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd7cef33ae0 CR3: 000000007bde5000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 mn_hlist_invalidate_range_start mm/mmu_notifier.c:493 [inline]
 __mmu_notifier_invalidate_range_start+0x3b5/0x8e0 mm/mmu_notifier.c:548
 mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:457 [inline]
 do_pagemap_scan+0xbd3/0xcc0 fs/proc/task_mmu.c:2422
 do_pagemap_cmd+0x5e/0x80 fs/proc/task_mmu.c:2478
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl fs/ioctl.c:857 [inline]
 __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f826e81d5e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc43d7c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc43d7c2e0 RCX: 00007f826e81d5e9
RDX: 0000000020000040 RSI: 00000000c0606610 RDI: 0000000000000005
RBP: 00007f826e890610 R08: 0000000000000000 R09: 68742f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc43d7c518 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [kernel?] inconsistent lock state in ptrace_attach

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f31817cbcf48 Add linux-next specific files for 20231116
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=112158fb680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cbb25bb9b4d29a773985
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cbb25bb9b4d29a773985@syzkaller.appspotmail.com

================================
WARNING: inconsistent lock state
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
syz-executor.1/5657 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: ptrace_set_stopped kernel/ptrace.c:391 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: ptrace_attach+0x401/0x650 kernel/ptrace.c:478
{IN-HARDIRQ-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5753 [inline]
  lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
  __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
  lock_task_sighand include/linux/sched/signal.h:748 [inline]
  send_sigqueue+0x1d4/0x840 kernel/signal.c:1996
  posix_timer_event kernel/time/posix-timers.c:298 [inline]
  posix_timer_fn+0x181/0x3d0 kernel/time/posix-timers.c:324
  __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
  __hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1752
  hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1065 [inline]
  __sysvec_apic_timer_interrupt+0x10c/0x410 arch/x86/kernel/apic/apic.c:1082
  sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
  lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
  rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
  rcu_read_lock include/linux/rcupdate.h:747 [inline]
  batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:408 [inline]
  batadv_nc_worker+0x16e/0x10e0 net/batman-adv/network-coding.c:719
  process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2636
  process_scheduled_works kernel/workqueue.c:2709 [inline]
  worker_thread+0x8b6/0x1290 kernel/workqueue.c:2790
  kthread+0x2c1/0x3a0 kernel/kthread.c:388
  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
irq event stamp: 1111
hardirqs last  enabled at (1111): [<ffffffff8a84a34e>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (1111): [<ffffffff8a84a34e>] _raw_spin_unlock_irqrestore+0x4e/0x70 kernel/locking/spinlock.c:194
hardirqs last disabled at (1110): [<ffffffff8a84a0fe>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (1110): [<ffffffff8a84a0fe>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last  enabled at (1016): [<ffffffff81310072>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last  enabled at (1016): [<ffffffff81310072>] fpregs_unlock arch/x86/include/asm/fpu/api.h:80 [inline]
softirqs last  enabled at (1016): [<ffffffff81310072>] fpu_clone+0x342/0xb60 arch/x86/kernel/fpu/core.c:634
softirqs last disabled at (1014): [<ffffffff81310007>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (1014): [<ffffffff81310007>] fpregs_lock arch/x86/include/asm/fpu/api.h:72 [inline]
softirqs last disabled at (1014): [<ffffffff81310007>] fpu_clone+0x2d7/0xb60 arch/x86/kernel/fpu/core.c:630

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&sighand->siglock);
  <Interrupt>
    lock(&sighand->siglock);

 *** DEADLOCK ***

2 locks held by syz-executor.1/5657:
 #0: ffff888022a1e3c8 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: class_mutex_intr_constructor include/linux/mutex.h:225 [inline]
 #0: ffff888022a1e3c8 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: ptrace_attach+0x1eb/0x650 kernel/ptrace.c:455
 #1: ffffffff8cc0a098 (tasklist_lock){++++}-{2:2}, at: class_write_lock_constructor include/linux/spinlock.h:564 [inline]
 #1: ffffffff8cc0a098 (tasklist_lock){++++}-{2:2}, at: ptrace_attach+0x2c3/0x650 kernel/ptrace.c:464

stack backtrace:
CPU: 0 PID: 5657 Comm: syz-executor.1 Not tainted 6.7.0-rc1-next-20231116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3970 [inline]
 valid_state kernel/locking/lockdep.c:4012 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4215 [inline]
 mark_lock+0x91a/0xc50 kernel/locking/lockdep.c:4677
 mark_usage kernel/locking/lockdep.c:4586 [inline]
 __lock_acquire+0x919/0x3b10 kernel/locking/lockdep.c:5090
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 class_spinlock_constructor include/linux/spinlock.h:530 [inline]
 ptrace_set_stopped kernel/ptrace.c:391 [inline]
 ptrace_attach+0x401/0x650 kernel/ptrace.c:478
 __do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f390ac7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f390ba5a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000065
RAX: ffffffffffffffda RBX: 00007f390ad9c1f0 RCX: 00007f390ac7cae9
RDX: 0000000000000000 RSI: 000000000000005c RDI: 0000000000000010
RBP: 00007f390acc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f390ad9c1f0 R15: 00007ffe8ba90308
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [cgroups?] possible deadlock in cgroup_free

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f31817cbcf48 Add linux-next specific files for 20231116
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17d0aca7680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cef555184e66963dabc2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cef555184e66963dabc2@syzkaller.appspotmail.com

=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.3/8188 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
ffff88801f641298 (&sighand->siglock){+.+.}-{2:2}, at: __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422

and this task is already holding:
ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: cgroup_migrate_execute+0xd8/0x1230 kernel/cgroup/cgroup.c:2566
which would create a new lock dependency:
 (css_set_lock){..-.}-{2:2} -> (&sighand->siglock){+.+.}-{2:2}

but this new dependency connects a SOFTIRQ-irq-safe lock:
 (css_set_lock){..-.}-{2:2}

... which became SOFTIRQ-irq-safe at:
  lock_acquire kernel/locking/lockdep.c:5753 [inline]
  lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
  put_css_set kernel/cgroup/cgroup-internal.h:208 [inline]
  put_css_set kernel/cgroup/cgroup-internal.h:196 [inline]
  cgroup_free+0x7c/0x1d0 kernel/cgroup/cgroup.c:6748
  __put_task_struct+0x10b/0x3d0 kernel/fork.c:992
  put_task_struct include/linux/sched/task.h:136 [inline]
  put_task_struct include/linux/sched/task.h:123 [inline]
  delayed_put_task_struct+0x22c/0x2d0 kernel/exit.c:227
  rcu_do_batch kernel/rcu/tree.c:2158 [inline]
  rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2431
  __do_softirq+0x216/0x8d5 kernel/softirq.c:553
  invoke_softirq kernel/softirq.c:427 [inline]
  __irq_exit_rcu kernel/softirq.c:632 [inline]
  irq_exit_rcu+0xb5/0x120 kernel/softirq.c:644
  sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
  lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:351 [inline]
  lockref_put_or_lock+0x18/0x80 lib/lockref.c:147
  fast_dput fs/dcache.c:775 [inline]
  fast_dput fs/dcache.c:765 [inline]
  dput+0x4c4/0xd90 fs/dcache.c:900
  shmem_unlink+0x1bc/0x310 mm/shmem.c:3373
  shmem_rename2+0x1ff/0x3b0 mm/shmem.c:3451
  vfs_rename+0xe20/0x1c30 fs/namei.c:4844
  do_renameat2+0xc3c/0xdc0 fs/namei.c:4996
  __do_sys_rename fs/namei.c:5042 [inline]
  __se_sys_rename fs/namei.c:5040 [inline]
  __x64_sys_rename+0x81/0xa0 fs/namei.c:5040
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x62/0x6a

to a SOFTIRQ-irq-unsafe lock:
 (&sighand->siglock){+.+.}-{2:2}

... which became SOFTIRQ-irq-unsafe at:
...
  lock_acquire kernel/locking/lockdep.c:5753 [inline]
  lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:351 [inline]
  class_spinlock_constructor include/linux/spinlock.h:530 [inline]
  ptrace_set_stopped kernel/ptrace.c:391 [inline]
  ptrace_attach+0x401/0x650 kernel/ptrace.c:478
  __do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x62/0x6a

other info that might help us debug this:

 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sighand->siglock);
                               local_irq_disable();
                               lock(css_set_lock);
                               lock(&sighand->siglock);
  <Interrupt>
    lock(css_set_lock);

 *** DEADLOCK ***

8 locks held by syz-executor.3/8188:
 #0: ffff88801d0e0d48 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe7/0x170 fs/file.c:1177
 #1: ffff888014b44420 (sb_writers#10){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:637
 #2: ffff88807ad7f088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
 #3: ffffffff8cff8768 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline]
 #3: ffffffff8cff8768 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xad/0x6d0 kernel/cgroup/cgroup.c:3092
 #4: ffffffff8ce51f70 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2413 [inline]
 #4: ffffffff8ce51f70 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_update_dfl_csses+0x2fb/0x640 kernel/cgroup/cgroup.c:3050
 #5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2415 [inline]
 #5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2411 [inline]
 #5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_update_dfl_csses+0x3d1/0x640 kernel/cgroup/cgroup.c:3050
 #6: ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
 #6: ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: cgroup_migrate_execute+0xd8/0x1230 kernel/cgroup/cgroup.c:2566
 #7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
 #7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
 #7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: __lock_task_sighand+0x3f/0x340 kernel/signal.c:1405

the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (css_set_lock){..-.}-{2:2} {
   IN-SOFTIRQ-W at:
                    lock_acquire kernel/locking/lockdep.c:5753 [inline]
                    lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
                    __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
                    _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
                    put_css_set kernel/cgroup/cgroup-internal.h:208 [inline]
                    put_css_set kernel/cgroup/cgroup-internal.h:196 [inline]
                    cgroup_free+0x7c/0x1d0 kernel/cgroup/cgroup.c:6748
                    __put_task_struct+0x10b/0x3d0 kernel/fork.c:992
                    put_task_struct include/linux/sched/task.h:136 [inline]
                    put_task_struct include/linux/sched/task.h:123 [inline]
                    delayed_put_task_struct+0x22c/0x2d0 kernel/exit.c:227
                    rcu_do_batch kernel/rcu/tree.c:2158 [inline]
                    rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2431
                    __do_softirq+0x216/0x8d5 kernel/softirq.c:553
                    invoke_softirq kernel/softirq.c:427 [inline]
                    __irq_exit_rcu kernel/softirq.c:632 [inline]
                    irq_exit_rcu+0xb5/0x120 kernel/softirq.c:644
                    sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
                    asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
                    lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
                    __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
                    _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
                    spin_lock include/linux/spinlock.h:351 [inline]
                    lockref_put_or_lock+0x18/0x80 lib/lockref.c:147
                    fast_dput fs/dcache.c:775 [inline]
                    fast_dput fs/dcache.c:765 [inline]
                    dput+0x4c4/0xd90 fs/dcache.c:900
                    shmem_unlink+0x1bc/0x310 mm/shmem.c:3373
                    shmem_rename2+0x1ff/0x3b0 mm/shmem.c:3451
                    vfs_rename+0xe20/0x1c30 fs/namei.c:4844
                    do_renameat2+0xc3c/0xdc0 fs/namei.c:4996
                    __do_sys_rename fs/namei.c:5042 [inline]
                    __se_sys_rename fs/namei.c:5040 [inline]
                    __x64_sys_rename+0x81/0xa0 fs/namei.c:5040
                    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
                    do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
                    entry_SYSCALL_64_after_hwframe+0x62/0x6a
   INITIAL USE at:
                   lock_acquire kernel/locking/lockdep.c:5753 [inline]
                   lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
                   __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
                   _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
                   spin_lock_irq include/linux/spinlock.h:376 [inline]
                   cgroup_setup_root+0x62c/0xa00 kernel/cgroup/cgroup.c:2138
                   cgroup_init+0x23f/0x1100 kernel/cgroup/cgroup.c:6120
                   start_kernel+0x385/0x480 init/main.c:1063
                   x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
                   x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
                   secondary_startup_64_no_verify+0x166/0x16b
 }
 ... key      at: [<ffffffff8cff86b8>] css_set_lock+0x18/0x60

the dependencies between the lock to be acquired
 and SOFTIRQ-irq-unsafe lock:
-> (&sighand->siglock){+.+.}-{2:2} {
   HARDIRQ-ON-W at:
                    lock_acquire kernel/locking/lockdep.c:5753 [inline]
                    lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
                    __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
                    _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
                    spin_lock include/linux/spinlock.h:351 [inline]
                    class_spinlock_constructor include/linux/spinlock.h:530 [inline]
                    ptrace_set_stopped kernel/ptrace.c:391 [inline]
                    ptrace_attach+0x401/0x650 kernel/ptrace.c:478
                    __do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
                    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
                    do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
                    entry_SYSCALL_64_after_hwframe+0x62/0x6a
   SOFTIRQ-ON-W at:
                    lock_acquire kernel/locking/lockdep.c:5753 [inline]
                    lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
                    __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
                    _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
                    spin_lock include/linux/spinlock.h:351 [inline]
                    class_spinlock_constructor include/linux/spinlock.h:530 [inline]
                    ptrace_set_stopped kernel/ptrace.c:391 [inline]
                    ptrace_attach+0x401/0x650 kernel/ptrace.c:478
                    __do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
                    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
                    do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
                    entry_SYSCALL_64_after_hwframe+0x62/0x6a
   INITIAL USE at:
                   lock_acquire kernel/locking/lockdep.c:5753 [inline]
                   lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
                   __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
                   _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
                   spin_lock_irq include/linux/spinlock.h:376 [inline]
                   calculate_sigpending+0x44/0xa0 kernel/signal.c:197
                   ret_from_fork+0x23/0x80 arch/x86/kernel/process.c:143
                   ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 }
 ... key      at: [<ffffffff90b49f80>] __key.341+0x0/0x40
 ... acquired at:
   lock_acquire kernel/locking/lockdep.c:5753 [inline]
   lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
   __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
   lock_task_sighand include/linux/sched/signal.h:748 [inline]
   cgroup_freeze_task+0x80/0x190 kernel/cgroup/freezer.c:160
   cgroup_freezer_migrate_task+0x1b7/0x3a0 kernel/cgroup/freezer.c:257
   cgroup_migrate_execute+0x2d3/0x1230 kernel/cgroup/cgroup.c:2580
   cgroup_update_dfl_csses+0x51b/0x640 kernel/cgroup/cgroup.c:3068
   cgroup_apply_control kernel/cgroup/cgroup.c:3308 [inline]
   cgroup_subtree_control_write+0xb94/0xed0 kernel/cgroup/cgroup.c:3453
   cgroup_file_write+0x209/0x7c0 kernel/cgroup/cgroup.c:4092
   kernfs_fop_write_iter+0x33f/0x500 fs/kernfs/file.c:334
   call_write_iter include/linux/fs.h:2021 [inline]
   new_sync_write fs/read_write.c:491 [inline]
   vfs_write+0x64d/0xdf0 fs/read_write.c:584
   ksys_write+0x12f/0x250 fs/read_write.c:637
   do_syscall_x64 arch/x86/entry/common.c:51 [inline]
   do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
   entry_SYSCALL_64_after_hwframe+0x62/0x6a


stack backtrace:
CPU: 1 PID: 8188 Comm: syz-executor.3 Not tainted 6.7.0-rc1-next-20231116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_bad_irq_dependency kernel/locking/lockdep.c:2626 [inline]
 check_irq_usage+0xe18/0x1470 kernel/locking/lockdep.c:2865
 check_prev_add kernel/locking/lockdep.c:3138 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x247c/0x3b10 kernel/locking/lockdep.c:5136
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
 __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
 lock_task_sighand include/linux/sched/signal.h:748 [inline]
 cgroup_freeze_task+0x80/0x190 kernel/cgroup/freezer.c:160
 cgroup_freezer_migrate_task+0x1b7/0x3a0 kernel/cgroup/freezer.c:257
 cgroup_migrate_execute+0x2d3/0x1230 kernel/cgroup/cgroup.c:2580
 cgroup_update_dfl_csses+0x51b/0x640 kernel/cgroup/cgroup.c:3068
 cgroup_apply_control kernel/cgroup/cgroup.c:3308 [inline]
 cgroup_subtree_control_write+0xb94/0xed0 kernel/cgroup/cgroup.c:3453
 cgroup_file_write+0x209/0x7c0 kernel/cgroup/cgroup.c:4092
 kernfs_fop_write_iter+0x33f/0x500 fs/kernfs/file.c:334
 call_write_iter include/linux/fs.h:2021 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x64d/0xdf0 fs/read_write.c:584
 ksys_write+0x12f/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f83f387cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f83f466d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f83f399bf80 RCX: 00007f83f387cae9
RDX: 0000000000000006 RSI: 0000000020000100 RDI: 0000000000000004
RBP: 00007f83f38c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f83f399bf80 R15: 00007ffdda059fd8
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [wireless?] [net?] WARNING in ieee80211_rfkill_poll

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    90b0c2b2edd1 Merge tag 'pinctrl-v6.7-1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1437f47b680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b0220f5f3436eb1a
dashboard link: https://syzkaller.appspot.com/bug?extid=7e59a5bfc7a897247e18
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13c670c0e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1310d47b680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/38f32e2d2d96/disk-90b0c2b2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec454d0d1d26/vmlinux-90b0c2b2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/110137c447a9/bzImage-90b0c2b2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e59a5bfc7a897247e18@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 732 at net/mac80211/driver-ops.h:688 drv_rfkill_poll net/mac80211/driver-ops.h:688 [inline]
WARNING: CPU: 1 PID: 732 at net/mac80211/driver-ops.h:688 ieee80211_rfkill_poll+0x134/0x170 net/mac80211/cfg.c:3100
Modules linked in:
CPU: 1 PID: 732 Comm: kworker/1:2 Not tainted 6.6.0-syzkaller-14142-g90b0c2b2edd1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: events_power_efficient rfkill_poll
RIP: 0010:drv_rfkill_poll net/mac80211/driver-ops.h:688 [inline]
RIP: 0010:ieee80211_rfkill_poll+0x134/0x170 net/mac80211/cfg.c:3100
Code: 60 07 00 00 be ff ff ff ff 48 8d 78 68 e8 44 f4 38 00 31 ff 89 c5 89 c6 e8 89 59 39 fb 85 ed 0f 85 44 ff ff ff e8 0c 5e 39 fb <0f> 0b e9 38 ff ff ff e8 00 5e 39 fb 0f 0b 48 c7 c7 f8 16 34 89 e8
RSP: 0018:ffffc90001cafc90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888100ff0700 RCX: ffffffff8614b267
RDX: ffff888107368000 RSI: ffffffff8614b274 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffffffff15c0565 R12: ffff888100ff0700
R13: 0000000000000001 R14: ffffc90001cafd80 R15: ffff8881f673ad40
FS:  0000000000000000(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6477ad0e40 CR3: 00000001122fe000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rdev_rfkill_poll net/wireless/rdev-ops.h:636 [inline]
 cfg80211_rfkill_poll+0xc9/0x240 net/wireless/core.c:224
 rfkill_poll+0x8d/0x110 net/rfkill/core.c:1037
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    55c900477f5b net: fill in MODULE_DESCRIPTION()s under driv..
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12586b51680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=429fa76d04cf393c
dashboard link: https://syzkaller.appspot.com/bug?extid=fd7b34375c1c8ce29c93
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=154a6ac7680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2f876eca348/disk-55c90047.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fae06633f86c/vmlinux-55c90047.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9bdbf63cb857/bzImage-55c90047.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 637d5067 P4D 637d5067 PUD 631c2067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6103 Comm: syz-executor.1 Not tainted 6.6.0-rc7-syzkaller-02075-g55c900477f5b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000314f868 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888028b0b000 RCX: 0000000000000000
RDX: 1ffff1100f3c305c RSI: ffffffff8848f069 RDI: ffff888028b0b000
RBP: 0000000000000004 R08: 0000000000000007 R09: 0000000000000000
R10: ffff888079e18000 R11: 0000000000000000 R12: ffff888079e18000
R13: 0000000000000000 R14: ffff888028b0b000 R15: ffff888028b0b000
FS:  00007fc30c5666c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000025154000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 sk_psock_verdict_data_ready net/core/skmsg.c:1228 [inline]
 sk_psock_verdict_data_ready+0x207/0x3d0 net/core/skmsg.c:1208
 unix_dgram_sendmsg+0x11b3/0x1ca0 net/unix/af_unix.c:2116
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 ____sys_sendmsg+0x2ac/0x940 net/socket.c:2558
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2612
 __sys_sendmmsg+0x1a1/0x450 net/socket.c:2698
 __do_sys_sendmmsg net/socket.c:2727 [inline]
 __se_sys_sendmmsg net/socket.c:2724 [inline]
 __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2724
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc30b87cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc30c5660c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fc30b99bf80 RCX: 00007fc30b87cae9
RDX: 0000000000000002 RSI: 0000000020001680 RDI: 0000000000000003
RBP: 00007fc30b8c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc30b99bf80 R15: 00007ffc0cccf7e8
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000314f868 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888028b0b000 RCX: 0000000000000000
RDX: 1ffff1100f3c305c RSI: ffffffff8848f069 RDI: ffff888028b0b000
RBP: 0000000000000004 R08: 0000000000000007 R09: 0000000000000000
R10: ffff888079e18000 R11: 0000000000000000 R12: ffff888079e18000
R13: 0000000000000000 R14: ffff888028b0b000 R15: ffff888028b0b000
FS:  00007fc30c5666c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000025154000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7cf4bea77ab6 Merge tag 'for-6.6-rc6-tag' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b76415680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a4436b383d761e86
dashboard link: https://syzkaller.appspot.com/bug?extid=84f695756ed0c4bb3aba
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1780cabd680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=157c04fe680000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-7cf4bea7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8097f65801fe/vmlinux-7cf4bea7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1824f0c42bd6/Image-7cf4bea7.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+84f695756ed0c4bb3aba@syzkaller.appspotmail.com

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
  ESR = 0x0000000097c38006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  Access size = 8 byte(s)
  SSE = 0, SRT = 3
  SF = 1, AR = 0
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046851000
[0000000000000000] pgd=0800000047e00003, p4d=0800000047e00003, pud=080000004684b003, pmd=0000000000000000
Internal error: Oops: 0000000097c38006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3098 Comm: syz-executor448 Not tainted 6.6.0-rc6-syzkaller-00045-g7cf4bea77ab6 #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : page_kasan_tag include/linux/mm.h:1801 [inline]
pc : lowmem_page_address include/linux/mm.h:2172 [inline]
pc : kmap_local_page include/linux/highmem-internal.h:185 [inline]
pc : copy_page_to_iter+0xb0/0x150 lib/iov_iter.c:479
lr : sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
sp : ffff800082b43940
x29: ffff800082b43940 x28: 0000000000000000 x27: fdff00000526c000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000040000000000 x21: ffff000000000000
x20: 0000000000001000 x19: ffff800082b43d50 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdf150998
x14: 000000000000012a x13: 000000000000012a x12: 0000000000000002
x11: 0000000000000001 x10: b5bbc95fda8a2138 x9 : 9908e50d67e0cf7a
x8 : f6ff000004f48f88 x7 : 0000000000000000 x6 : f9ff000004e6ed40
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff800082b43d50
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 arch_static_branch_jump arch/arm64/include/asm/jump_label.h:38 [inline]
 kasan_enabled include/linux/kasan-enabled.h:13 [inline]
 page_kasan_tag include/linux/mm.h:1800 [inline]
 lowmem_page_address include/linux/mm.h:2172 [inline]
 kmap_local_page include/linux/highmem-internal.h:185 [inline]
 copy_page_to_iter+0xb0/0x150 lib/iov_iter.c:479
 sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
 unix_bpf_recvmsg net/unix/unix_bpf.c:73 [inline]
 unix_bpf_recvmsg+0x13c/0x4f0 net/unix/unix_bpf.c:50
 unix_dgram_recvmsg+0x30/0x4c net/unix/af_unix.c:2457
 sock_recvmsg_nosec net/socket.c:1044 [inline]
 sock_recvmsg net/socket.c:1066 [inline]
 sock_recvmsg net/socket.c:1062 [inline]
 ____sys_recvmsg+0x1d0/0x268 net/socket.c:2777
 ___sys_recvmsg+0x90/0xe8 net/socket.c:2819
 do_recvmmsg+0xc8/0x2f4 net/socket.c:2913
 __sys_recvmmsg net/socket.c:2992 [inline]
 __do_sys_recvmmsg net/socket.c:3015 [inline]
 __se_sys_recvmmsg net/socket.c:3008 [inline]
 __arm64_sys_recvmmsg+0xd0/0xec net/socket.c:3008
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
Code: 8b160320 d346fc00 8b0032a0 d503201f (f9400323) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	8b160320 	add	x0, x25, x22
   4:	d346fc00 	lsr	x0, x0, #6
   8:	8b0032a0 	add	x0, x21, x0, lsl #12
   c:	d503201f 	nop
* 10:	f9400323 	ldr	x3, [x25] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: yuran.pereira@hotmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1056d5c5680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1081f1e5680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3074ad3ff92/disk-ad7f1bae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b298a1e285/vmlinux-ad7f1bae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ad5cd9c2a48/bzImage-ad7f1bae.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc5-syzkaller-00227-gad7f1baed071 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [ntfs3?] WARNING in attr_data_get_block (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e402b08634b3 Merge tag 'soc-fixes-6.6' of git://git.kernel..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111e0d01680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=a9850b21d99643eadbb8
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12b684e6680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10ede4d6680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/41cd2d7ae4a2/disk-e402b086.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06c5c0caa862/vmlinux-e402b086.xz
kernel image: https://storage.googleapis.com/syzbot-assets/483b777ed71c/bzImage-e402b086.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/f17ff5020b6d/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6aff89451d15/mount_2.gz

The issue was bisected to:

commit 6e5be40d32fb1907285277c02e74493ed43d77fe
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Fri Aug 13 14:21:30 2021 +0000

    fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15f20a7c680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17f20a7c680000
console output: https://syzkaller.appspot.com/x/log.txt?x=13f20a7c680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9850b21d99643eadbb8@syzkaller.appspotmail.com
Fixes: 6e5be40d32fb ("fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile")

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5033 at fs/ntfs3/attrib.c:1059 attr_data_get_block+0x1926/0x2da0
Modules linked in:
CPU: 1 PID: 5033 Comm: syz-executor106 Not tainted 6.6.0-rc3-syzkaller-00214-ge402b08634b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:attr_data_get_block+0x1926/0x2da0 fs/ntfs3/attrib.c:1059
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 48 ff ff ff 48 8d bc 24 e0 01 00 00 e8 19 74 18 ff 48 8b 54 24 58 e9 31 ff ff ff e8 ba 01 be fe <0f> 0b bb ea ff ff ff e9 11 fa ff ff e8 a9 01 be fe e9 0f f9 ff ff
RSP: 0018:ffffc9000406f6a0 EFLAGS: 00010293
RAX: ffffffff82d008b6 RBX: 00000000ffffffff RCX: ffff888025380000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 00000000ffffffff
RBP: ffffc9000406f908 R08: ffffffff82d0038f R09: 1ffffffff20df689
R10: dffffc0000000000 R11: fffffbfff20df68a R12: 1ffff9200080def4
R13: 000000000000001c R14: ffff888076620140 R15: dffffc0000000000
FS:  00007f36f9b9c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f36f9b9cd58 CR3: 0000000026956000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ntfs_fallocate+0xc6d/0x1100 fs/ntfs3/file.c:610
 vfs_fallocate+0x551/0x6b0 fs/open.c:324
 do_vfs_ioctl+0x22da/0x2b40 fs/ioctl.c:850
 __do_sys_ioctl fs/ioctl.c:869 [inline]
 __se_sys_ioctl+0x81/0x170 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f37091ff5a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f36f9b9c218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007f37091ff5a9
RDX: 0000000020000780 RSI: 0000000040305828 RDI: 0000000000000004
RBP: 00007f37092aa6d8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37092aa6d0
R13: 00007f3709277a14 R14: 726665646f747561 R15: 61635f6563617073
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [mm?] [hfs?] KASAN: slab-out-of-bounds Read in generic_perform_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2cf0f7156238 Merge tag 'nfs-for-6.6-2' of git://git.linux-..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=153cd286680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4ca82a1bedd37e4
dashboard link: https://syzkaller.appspot.com/bug?extid=4a2376bc62e59406c414
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11e88918680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10aea78c680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eac482f1f6bc/disk-2cf0f715.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7a69dad9f1ff/vmlinux-2cf0f715.xz
kernel image: https://storage.googleapis.com/syzbot-assets/16676b650375/bzImage-2cf0f715.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c040f8fc7107/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10e0a282680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=12e0a282680000
console output: https://syzkaller.appspot.com/x/log.txt?x=14e0a282680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_from_iter lib/iov_iter.c:380 [inline]
BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0x908/0x12f0 lib/iov_iter.c:590
Read of size 1024 at addr ffff888020b4ec00 by task kworker/u4:7/1273

CPU: 0 PID: 1273 Comm: kworker/u4:7 Not tainted 6.6.0-rc2-syzkaller-00018-g2cf0f7156238 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop0 loop_rootcg_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:475
 kasan_report+0x175/0x1b0 mm/kasan/report.c:588
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_from_iter lib/iov_iter.c:380 [inline]
 copy_page_from_iter_atomic+0x908/0x12f0 lib/iov_iter.c:590
 generic_perform_write+0x392/0x630 mm/filemap.c:3950
 shmem_file_write_iter+0xfc/0x120 mm/shmem.c:2865
 do_iter_write+0x84f/0xde0 fs/read_write.c:860
 lo_write_bvec drivers/block/loop.c:249 [inline]
 lo_write_simple drivers/block/loop.c:271 [inline]
 do_req_filebacked drivers/block/loop.c:495 [inline]
 loop_handle_cmd drivers/block/loop.c:1915 [inline]
 loop_process_work+0x14c3/0x22a0 drivers/block/loop.c:1950
 process_one_work kernel/workqueue.c:2630 [inline]
 process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
 worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 5038:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1023 [inline]
 __kmalloc+0xb9/0x230 mm/slab_common.c:1036
 kmalloc include/linux/slab.h:603 [inline]
 hfsplus_read_wrapper+0x545/0x1330 fs/hfsplus/wrapper.c:178
 hfsplus_fill_super+0x38e/0x1c90 fs/hfsplus/super.c:413
 mount_bdev+0x237/0x300 fs/super.c:1629
 legacy_get_tree+0xef/0x190 fs/fs_context.c:638
 vfs_get_tree+0x8c/0x280 fs/super.c:1750
 do_new_mount+0x28f/0xae0 fs/namespace.c:3335
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888020b4ec00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 allocated 512-byte region [ffff888020b4ec00, ffff888020b4ee00)

The buggy address belongs to the physical page:
page:ffffea000082d300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20b4c
head:ffffea000082d300 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012841c80 ffffea000085e900 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 12443144717, free_ts 0
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 alloc_page_interleave+0x22/0x1d0 mm/mempolicy.c:2131
 alloc_slab_page+0x6a/0x160 mm/slub.c:1870
 allocate_slab mm/slub.c:2017 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2070
 ___slab_alloc+0xc85/0x1310 mm/slub.c:3223
 __slab_alloc mm/slub.c:3322 [inline]
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
 kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
 kmalloc include/linux/slab.h:599 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 dev_pm_qos_constraints_allocate+0x8f/0x400 drivers/base/power/qos.c:204
 __dev_pm_qos_add_request+0x121/0x4a0 drivers/base/power/qos.c:344
 dev_pm_qos_add_request+0x3a/0x60 drivers/base/power/qos.c:394
 usb_hub_create_port_device+0x4c6/0xc40 drivers/usb/core/port.c:727
 hub_configure drivers/usb/core/hub.c:1685 [inline]
 hub_probe+0x2469/0x3570 drivers/usb/core/hub.c:1922
 usb_probe_interface+0x5c4/0xb00 drivers/usb/core/driver.c:396
 really_probe+0x294/0xc30 drivers/base/dd.c:658
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888020b4ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888020b4ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020b4ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888020b4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888020b4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [dri?] WARNING in drm_gem_object_handle_put_unlocked

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    0bb80ecc33a8 Linux 6.6-rc1
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1002530c680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
dashboard link: https://syzkaller.appspot.com/bug?extid=ef3256a360c02207a4cb
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14a79ca0680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16900402680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef3256a360c02207a4cb@syzkaller.appspotmail.com

R10: 0000000000000000 R11: 0000000000000246 R12: 00007fda971e917c
R13: 00007fda97153210 R14: 0023647261632f69 R15: 6972642f7665642f
 </TASK>
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5043 at drivers/gpu/drm/drm_gem.c:225 drm_gem_object_handle_put_unlocked+0x299/0x390 drivers/gpu/drm/drm_gem.c:225
Modules linked in:
CPU: 1 PID: 5043 Comm: syz-executor141 Not tainted 6.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:drm_gem_object_handle_put_unlocked+0x299/0x390 drivers/gpu/drm/drm_gem.c:225
Code: ea 03 0f b6 04 02 84 c0 74 0c 3c 03 7f 08 4c 89 f7 e8 2b 06 2a fd c7 83 20 01 00 00 00 00 00 00 e9 98 fe ff ff e8 57 44 d4 fc <0f> 0b 5b 5d 41 5c 41 5d 41 5e e9 48 44 d4 fc e8 43 44 d4 fc 48 8d
RSP: 0018:ffffc90003d5fbb8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888027b61000 RCX: 0000000000000000
RDX: ffff888014fcbb80 RSI: ffffffff84b38a29 RDI: 0000000000000005
RBP: ffff888027b61004 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88801d140000
R13: ffff888027b61008 R14: 0000000000000000 R15: ffff888027b61018
FS:  00007fda971536c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda971fe794 CR3: 0000000072975000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 drm_gem_handle_create_tail+0x32f/0x540 drivers/gpu/drm/drm_gem.c:407
 drm_gem_shmem_create_with_handle drivers/gpu/drm/drm_gem_shmem_helper.c:417 [inline]
 drm_gem_shmem_dumb_create+0x21a/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:505
 drm_mode_create_dumb drivers/gpu/drm/drm_dumb_buffers.c:96 [inline]
 drm_mode_create_dumb_ioctl+0x268/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:102
 drm_ioctl_kernel+0x280/0x4c0 drivers/gpu/drm/drm_ioctl.c:789
 drm_ioctl+0x5cb/0xbf0 drivers/gpu/drm/drm_ioctl.c:892
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl fs/ioctl.c:857 [inline]
 __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fda971954e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fda971531f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda9721c3e8 RCX: 00007fda971954e9
RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007fda9721c3e0 R08: 00007fda97152f96 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fda971e917c
R13: 00007fda97153210 R14: 0023647261632f69 R15: 6972642f7665642f
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: mukattreyee@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [ext4?] WARNING in ext4_discard_allocated_blocks

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7ba2090ca64e Merge tag 'ceph-for-6.6-rc1' of https://githu..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12c57f2fa80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ed626705db308b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=628e71e1cb809306030f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=111acb20680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=112d9f34680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7abbf7618c3a/disk-7ba2090c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/694adc723518/vmlinux-7ba2090c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c5d9addc4e4/bzImage-7ba2090c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a4604150b51d/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13e3dba8680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1013dba8680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17e3dba8680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+628e71e1cb809306030f@syzkaller.appspotmail.com

ext4: mb_load_buddy failed (-117)
WARNING: CPU: 0 PID: 5538 at fs/ext4/mballoc.c:4620 ext4_discard_allocated_blocks+0x5d4/0x750 fs/ext4/mballoc.c:4619
Modules linked in:
CPU: 0 PID: 5538 Comm: syz-executor264 Not tainted 6.5.0-syzkaller-12107-g7ba2090ca64e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:ext4_discard_allocated_blocks+0x5d4/0x750 fs/ext4/mballoc.c:4619
Code: 00 0f 85 9a 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 eb 99 48 ff 48 c7 c7 00 42 1d 8b 44 89 fe e8 8c 14 0f ff <0f> 0b 49 bf 00 00 00 00 00 fc ff df eb 98 e8 c9 99 48 ff e9 19 fe
RSP: 0018:ffffc90005006cc0 EFLAGS: 00010246
RAX: da27be545f79de00 RBX: 0000000000000001 RCX: ffff888026741dc0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005006dd0 R08: ffffffff81541672 R09: 1ffff1101730516a
R10: dffffc0000000000 R11: ffffed101730516b R12: ffff888076b7a124
R13: 1ffff92000a00da0 R14: ffff888076b7a0d8 R15: 00000000ffffff8b
FS:  00007f095582f6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020100000 CR3: 000000001c40b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ext4_mb_new_blocks+0x148f/0x4b30 fs/ext4/mballoc.c:6244
 ext4_ext_map_blocks+0x1e13/0x7150 fs/ext4/extents.c:4285
 ext4_map_blocks+0xa2f/0x1cb0 fs/ext4/inode.c:621
 _ext4_get_block+0x238/0x6a0 fs/ext4/inode.c:763
 ext4_block_write_begin+0x53d/0x1550 fs/ext4/inode.c:1043
 ext4_write_begin+0x619/0x10b0
 ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2865
 generic_perform_write+0x31b/0x630 mm/filemap.c:3942
 ext4_buffered_write_iter+0xc6/0x350 fs/ext4/file.c:299
 ext4_file_write_iter+0x1d3/0x1ad0 fs/ext4/file.c:717
 call_write_iter include/linux/fs.h:1985 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x782/0xaf0 fs/read_write.c:584
 ksys_write+0x1a0/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0955872bd9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f095582f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f09558fc6c8 RCX: 00007f0955872bd9
RDX: 000000000000a000 RSI: 0000000020000780 RDI: 0000000000000005
RBP: 00007f09558fc6c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09558c8a38
R13: 0000000000000000 R14: 6f6f6c2f7665642f R15: 0032656c69662f2e
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [ntfs3?] WARNING in do_symlinkat (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d4ddefee5160 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1684c769a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c37cc0e4fcc5f8d
dashboard link: https://syzkaller.appspot.com/bug?extid=d123d9a1df4f9a897854
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1610933da80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14d81e5fa80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/faa4473182fa/disk-d4ddefee.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f12b676582f4/vmlinux-d4ddefee.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e8c9cea34485/bzImage-d4ddefee.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/027d8c9977f5/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d123d9a1df4f9a897854@syzkaller.appspotmail.com

DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff8880715bea70, owner = 0x0, curr 0xffff88802212bb80, list empty
WARNING: CPU: 1 PID: 5387 at kernel/locking/rwsem.c:1370 __up_write kernel/locking/rwsem.c:1369 [inline]
WARNING: CPU: 1 PID: 5387 at kernel/locking/rwsem.c:1370 up_write+0x4f4/0x580 kernel/locking/rwsem.c:1626
Modules linked in:
CPU: 1 PID: 5387 Comm: syz-executor310 Not tainted 6.5.0-rc6-syzkaller-00200-gd4ddefee5160 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:__up_write kernel/locking/rwsem.c:1369 [inline]
RIP: 0010:up_write+0x4f4/0x580 kernel/locking/rwsem.c:1626
Code: 48 c7 c7 20 8c 0a 8b 48 c7 c6 60 8e 0a 8b 48 8b 54 24 28 48 8b 4c 24 18 4d 89 e0 4c 8b 4c 24 30 53 e8 30 59 e8 ff 48 83 c4 08 <0f> 0b e9 75 fd ff ff 48 c7 c1 88 ab 98 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc900042afd40 EFLAGS: 00010292
RAX: 083997afe1a51c00 RBX: ffffffff8b0a8d00 RCX: ffff88802212bb80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900042afe10 R08: ffffffff8152d442 R09: 1ffff92000855f20
R10: dffffc0000000000 R11: fffff52000855f21 R12: 0000000000000000
R13: ffff8880715bea70 R14: 1ffff92000855fb0 R15: dffffc0000000000
FS:  00007f472f84f6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4737a71000 CR3: 000000002634e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 inode_unlock include/linux/fs.h:776 [inline]
 done_path_create fs/namei.c:3937 [inline]
 do_symlinkat+0x25e/0x610 fs/namei.c:4505
 __do_sys_symlink fs/namei.c:4524 [inline]
 __se_sys_symlink fs/namei.c:4522 [inline]
 __x64_sys_symlink+0x7e/0x90 fs/namei.c:4522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4737ab3d89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f472f84f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007f4737b5b6d8 RCX: 00007f4737ab3d89
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000020000540
RBP: 00007f4737b5b6d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4737b27954
R13: 00007f4737b27850 R14: 0031656c69662f2e R15: 0030656c69662f2e
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] [bpf?] [reiserfs?] WARNING: locking bug in corrupted (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c17414a273b8 Merge tag 'sh-for-v6.5-tag1' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13cc4baca80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ad417033279f15a
dashboard link: https://syzkaller.appspot.com/bug?extid=3779764ddb7a3e19437f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12bbd544a80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13fd50b0a80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea495e93586c/disk-c17414a2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdb03e817e47/vmlinux-c17414a2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20ba23616f1f/bzImage-c17414a2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/98d086ce1a87/mount_0.gz

The issue was bisected to:

commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Fri Jul 2 04:07:43 2021 +0000

    reiserfs: add check for root_inode in reiserfs_fill_super

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=143b663ca80000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=163b663ca80000
console output: https://syzkaller.appspot.com/x/log.txt?x=123b663ca80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3779764ddb7a3e19437f@syzkaller.appspotmail.com
Fixes: 2acf15b94d5b ("reiserfs: add check for root_inode in reiserfs_fill_super")

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)
WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:5045 __lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Modules linked in:
CPU: 0 PID: 0 Comm:  Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:__lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Code: d2 0f 85 be 47 00 00 44 8b 3d 0d b3 44 0d 45 85 ff 0f 85 40 f8 ff ff 48 c7 c6 40 9f 6c 8a 48 c7 c7 e0 6e 6c 8a e8 b5 46 e6 ff <0f> 0b e9 29 f8 ff ff 48 8d 7d f8 48 b8 00 00 00 00 00 fc ff df 48
RSP: 0018:ffffc90000007ca8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 1ffff92000000fc7 RCX: 0000000000000000
RDX: ffff8880779d5940 RSI: ffffffff814c34f7 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffff8880b982b898 R14: 0000000000000000 R15: 0000000000000000
FS:  00005555573b8300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde3197000 CR3: 00000000173e2000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 arch_local_irq_enable arch/x86/include/asm/irqflags.h:78 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 arch_local_irq_restore arch/x86/include/asm/irqflags.h:135 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 rcu_read_unlock_special kernel/rcu/tree_plugin.h:678 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 __rcu_read_unlock+0x24b/0x570 kernel/rcu/tree_plugin.h:426
Modules linked in:
CPU: 0 PID: 0 Comm:  Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:__rcu_read_unlock+0x24b/0x570 kernel/rcu/tree_plugin.h:431
Code: 00 e8 49 4f df ff 4d 85 f6 74 05 e8 cf c3 1c 00 9c 58 f6 c4 02 0f 85 78 02 00 00 4d 85 f6 0f 84 83 fe ff ff fb e9 7d fe ff ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 e8 25 50 69 00 e9 2a fe ff ff e8
RSP: 0018:ffffc900000079d8 EFLAGS: 00010096
RAX: 00000000ffff8880 RBX: ffff8880779d5940 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8192bb90 RDI: ffff8880779d5d7c
RBP: ffff8880779d5940 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffffc90000007bf8 R14: 0000000000000000 R15: ffffc90000007a98
FS:  00005555573b8300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde3197000 CR3: 00000000173e2000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 rcu_read_unlock include/linux/rcupdate.h:781 [inline]
 is_bpf_text_address+0x85/0x1b0 kernel/bpf/core.c:721
 kernel_text_address kernel/extable.c:125 [inline]
 kernel_text_address+0x3d/0x80 kernel/extable.c:94
 __kernel_text_address+0xd/0x30 kernel/extable.c:79
 show_trace_log_lvl+0x1c7/0x390 arch/x86/kernel/dumpstack.c:259
 __warn+0xe6/0x390 kernel/panic.c:671
 __report_bug lib/bug.c:199 [inline]
 report_bug+0x2da/0x500 lib/bug.c:219
 handle_bug+0x3c/0x70 arch/x86/kernel/traps.c:324
 exc_invalid_op+0x18/0x50 arch/x86/kernel/traps.c:345
 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:568
RIP: 0010:__lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Code: d2 0f 85 be 47 00 00 44 8b 3d 0d b3 44 0d 45 85 ff 0f 85 40 f8 ff ff 48 c7 c6 40 9f 6c 8a 48 c7 c7 e0 6e 6c 8a e8 b5 46 e6 ff <0f> 0b e9 29 f8 ff ff 48 8d 7d f8 48 b8 00 00 00 00 00 fc ff df 48
RSP: 0018:ffffc90000007ca8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 1ffff92000000fc7 RCX: 0000000000000000
RDX: ffff8880779d5940 RSI: ffffffff814c34f7 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffff8880b982b898 R14: 0000000000000000 R15: 0000000000000000
 lock_acquire kernel/locking/lockdep.c:5761 [inline]
 lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5726
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
 hrtimer_interrupt+0x107/0x7b0 kernel/time/hrtimer.c:1795
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1098 [inline]
 __sysvec_apic_timer_interrupt+0x14a/0x430 arch/x86/kernel/apic/apic.c:1115
 sysvec_apic_timer_interrupt+0x92/0xc0 arch/x86/kernel/apic/apic.c:1109
 </IRQ>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] UBSAN: array-index-out-of-bounds in diWrite

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1512cd9a880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
dashboard link: https://syzkaller.appspot.com/bug?extid=c1056fdfe414463fdb33
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f431d2880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1208894a880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/720c16671db9/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c1056fdfe414463fdb33@syzkaller.appspotmail.com

================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:749:4
index 255 is out of range for type 'struct dtslot [128]'
CPU: 1 PID: 3606 Comm: syz-executor322 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
 diWrite+0x1311/0x1f80 fs/jfs/jfs_imap.c:749
 txCommit+0xa2e/0x6d40 fs/jfs/jfs_txnmgr.c:1250
 jfs_mkdir+0x911/0xb00 fs/jfs/namei.c:290
 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
 do_mkdirat+0x279/0x550 fs/namei.c:4038
 __do_sys_mkdirat fs/namei.c:4053 [inline]
 __se_sys_mkdirat fs/namei.c:4051 [inline]
 __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1a977dfe49
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8f230c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1a977dfe49
RDX: 00000000000001ff RSI: 00000000200000c0 RDI: ffffffffffffff9c
RBP: 00007f1a9779f610 R08: 0000000000000000 R09: 0000000000000000
R10: 00005555566302c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000fc R15: 0000000000000000
 </TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: ghandatmanas@gmail.com

#syz test: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: ghandatmanas@gmail.com

#syz test: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: ghandatmanas@gmail.com

#syz test: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: test
Author: ghandatmanas@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot] general protection fault in l2cap_chan_timeout (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172ce872700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=88e0a6a3dbf057cf
dashboard link: https://syzkaller.appspot.com/bug?extid=f0908ddc8b64b86e81f2
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1392aa3c700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d514a4700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0908ddc8b64b86e81f2@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc000000005a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000002d0-0x00000000000002d7]
CPU: 1 PID: 5789 Comm: kworker/1:2 Not tainted 5.17.0-rc3-syzkaller-00043-gf4bc5bbb5fef #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:__mutex_lock_common+0x110/0x2490 kernel/locking/mutex.c:579
Code: 38 84 c0 0f 85 26 1c 00 00 83 3d 3a c6 aa 06 00 48 8b 5c 24 08 4c 8d ac 24 c0 00 00 00 75 21 48 8d 7b 60 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 34 7e bc f7 48 39 5b 60 0f 85 b1 17 00 00
RSP: 0018:ffffc9000a4efaa0 EFLAGS: 00010206
RAX: 000000000000005a RBX: 0000000000000270 RCX: ffffffff90bf9803
RDX: dffffc0000000000 RSI: ffff888077be5700 RDI: 00000000000002d0
RBP: ffffc9000a4efc08 R08: dffffc0000000000 R09: ffffc9000a4efb60
R10: fffff5200149df71 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000a4efb60 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 0000000018ada000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __mutex_lock kernel/locking/mutex.c:733 [inline]
 mutex_lock_nested+0x1a/0x20 kernel/locking/mutex.c:785
 l2cap_chan_timeout+0x53/0x280 net/bluetooth/l2cap_core.c:422
 process_one_work+0x850/0x1130 kernel/workqueue.c:2307
 worker_thread+0xab1/0x1300 kernel/workqueue.c:2454
 kthread+0x2a3/0x2d0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common+0x110/0x2490 kernel/locking/mutex.c:579
Code: 38 84 c0 0f 85 26 1c 00 00 83 3d 3a c6 aa 06 00 48 8b 5c 24 08 4c 8d ac 24 c0 00 00 00 75 21 48 8d 7b 60 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 34 7e bc f7 48 39 5b 60 0f 85 b1 17 00 00
RSP: 0018:ffffc9000a4efaa0 EFLAGS: 00010206
RAX: 000000000000005a RBX: 0000000000000270 RCX: ffffffff90bf9803
RDX: dffffc0000000000 RSI: ffff888077be5700 RDI: 00000000000002d0
RBP: ffffc9000a4efc08 R08: dffffc0000000000 R09: ffffc9000a4efb60
R10: fffff5200149df71 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000a4efb60 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd341ae06d CR3: 0000000018ada000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	38 84 c0 0f 85 26 1c 	cmp    %al,0x1c26850f(%rax,%rax,8)
   7:	00 00                	add    %al,(%rax)
   9:	83 3d 3a c6 aa 06 00 	cmpl   $0x0,0x6aac63a(%rip)        # 0x6aac64a
  10:	48 8b 5c 24 08       	mov    0x8(%rsp),%rbx
  15:	4c 8d ac 24 c0 00 00 	lea    0xc0(%rsp),%r13
  1c:	00
  1d:	75 21                	jne    0x40
  1f:	48 8d 7b 60          	lea    0x60(%rbx),%rdi
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 05                	je     0x36
  31:	e8 34 7e bc f7       	callq  0xf7bc7e6a
  36:	48 39 5b 60          	cmp    %rbx,0x60(%rbx)
  3a:	0f 85 b1 17 00 00    	jne    0x17f1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: yuran.pereira@hotmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master