Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: INFO: task hung in bdev_open
affected file: block/bdev.c
kernel version: 6.9-rc4
kernel commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
INFO: task systemd-udevd:20128 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-dirty #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:systemd-udevd state:D stack:26384 pid:20128 tgid:20128
ppid:4546 flags:0x00000000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xd23/0x5bc0 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x508/0x930 kernel/locking/mutex.c:752
bdev_open+0x414/0xe90 block/bdev.c:868
blkdev_open+0x181/0x200 block/fops.c:620
do_dentry_open+0x6d3/0x18e0 fs/open.c:955
do_open fs/namei.c:3642 [inline]
path_openat+0x1b23/0x2670 fs/namei.c:3799
do_filp_open+0x1c7/0x410 fs/namei.c:3826
do_sys_openat2+0x164/0x1d0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x140/0x1f0 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xce/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd9bba3e767
RSP: 002b:00007fffd5da4040 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fffd5da4174 RCX: 00007fd9bba3e767
RDX: 00000000000a0800 RSI: 00005593e06cf0c0 RDI: 00000000ffffff9c
RBP: 00005593e06cf0c0 R08: 00005593b8b95720 R09: 00007fd9bbaf8080
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000a0800
R13: 0000000000000000 R14: 00007fffd5da40d0 R15: 00007fffd5da4174
</TASK>
INFO: task syz-executor.2:32417 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-dirty #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.2 state:D stack:27248 pid:32417 tgid:32417
ppid:8232 flags:0x00000006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xd23/0x5bc0 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x508/0x930 kernel/locking/mutex.c:752
bdev_release+0x161/0x720 block/bdev.c:1050
blkdev_release+0x15/0x20 block/fops.c:628
__fput+0x282/0xbc0 fs/file_table.c:422
__fput_sync+0x45/0x50 fs/file_table.c:507
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close fs/open.c:1541 [inline]
__x64_sys_close+0x8a/0x120 fs/open.c:1541
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xce/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f18ba68dc0b
RSP: 002b:00007ffc5ea89990 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f18ba68dc0b
RDX: 0000000000000000 RSI: 000000000000d8e4 RDI: 0000000000000006
RBP: 00007f18ba7cd980 R08: 0000000000000000 R09: 000000008ac21002
R10: 0000000000000001 R11: 0000000000000293 R12: 00000000000adc9f
R13: 00007ffc5ea89a90 R14: 00007f18ba200dd0 R15: 00007f18ba200dc8
</TASK>
INFO: task syz-executor.2:32420 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-dirty #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.2 state:D stack:28096 pid:32420 tgid:32417
ppid:8232 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xd23/0x5bc0 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x508/0x930 kernel/locking/mutex.c:752
bdev_release+0x161/0x720 block/bdev.c:1050
blkdev_release+0x15/0x20 block/fops.c:628
__fput+0x282/0xbc0 fs/file_table.c:422
task_work_run+0x169/0x260 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xdb/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f18ba68ed2d
RSP: 002b:00007f18bb4e3028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f18ba7cbf80 RCX: 00007f18ba68ed2d
RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000003
RBP: 00007f18ba6f04a6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f18ba7cbf80 R15: 00007f18bb4c3000
</TASK>
INFO: task syz-executor.2:32444 blocked for more than 143 seconds.
Not tainted 6.9.0-rc4-dirty #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.2 state:D stack:25264 pid:32444 tgid:32417
ppid:8232 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5409 [inline]
__schedule+0xd23/0x5bc0 kernel/sched/core.c:6746
__schedule_loop kernel/sched/core.c:6823 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6838
io_schedule+0xbf/0x130 kernel/sched/core.c:9044
folio_wait_bit_common+0x397/0x9c0 mm/filemap.c:1283
folio_put_wait_locked mm/filemap.c:1447 [inline]
do_read_cache_folio+0x2db/0x520 mm/filemap.c:3729
read_mapping_folio include/linux/pagemap.h:894 [inline]
read_part_sector+0xf7/0x440 block/partitions/core.c:715
adfspart_check_POWERTEC+0x82/0x710 block/partitions/acorn.c:454
check_partition block/partitions/core.c:138 [inline]
blk_add_partitions block/partitions/core.c:582 [inline]
bdev_disk_changed+0x891/0x15f0 block/partitions/core.c:686
blkdev_get_whole+0x18b/0x260 block/bdev.c:667
bdev_open+0x2eb/0xe90 block/bdev.c:880
blkdev_open+0x181/0x200 block/fops.c:620
do_dentry_open+0x6d3/0x18e0 fs/open.c:955
do_open fs/namei.c:3642 [inline]
path_openat+0x1b23/0x2670 fs/namei.c:3799
do_filp_open+0x1c7/0x410 fs/namei.c:3826
do_sys_openat2+0x164/0x1d0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x140/0x1f0 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xce/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f18ba68d904
RSP: 002b:00007f18bb4c1b50 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007f18ba68d904
RDX: 0000000000000000 RSI: 00007f18bb4c1bf0 RDI: 00000000ffffff9c
RBP: 00007f18bb4c1bf0 R08: 0000000000000000 R09: 002364626e2f7665
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 000000000000006e R14: 00007f18ba7cc050 R15: 00007f18bb4a2000
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/33:
#0: ffffffff8d7b0560 (rcu_read_lock){....}-{1:2}, at:
rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
#0: ffffffff8d7b0560 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock
include/linux/rcupdate.h:781 [inline]
#0: ffffffff8d7b0560 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614
4 locks held by systemd-journal/4534:
2 locks held by in:imklog/7643:
5 locks held by rs:main Q:Reg/7644:
2 locks held by agetty/7994:
#0: ffff888108f780a0 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x26/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900024cc2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0xf1d/0x1410 drivers/tty/n_tty.c:2201
1 lock held by systemd-udevd/20128:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/32417:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_release+0x161/0x720 block/bdev.c:1050
1 lock held by syz-executor.2/32420:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_release+0x161/0x720 block/bdev.c:1050
1 lock held by syz-executor.2/32444:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/33109:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/33111:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/33112:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/33594:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
1 lock held by syz-executor.2/33595:
#0: ffff88801da594c8 (&disk->open_mutex){+.+.}-{3:3}, at:
bdev_open+0x414/0xe90 block/bdev.c:868
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 33 Comm: khungtaskd Not tainted 6.9.0-rc4-dirty #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:114
nmi_cpu_backtrace+0x2a0/0x350 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xe79/0x1130 kernel/hung_task.c:380
kthread+0x2c7/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 7644 Comm: rs:main Q:Reg Not tainted 6.9.0-rc4-dirty #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read
include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
RIP: 0010:page_table_check_clear mm/page_table_check.c:81 [inline]
RIP: 0010:page_table_check_clear+0x441/0xc50 mm/page_table_check.c:61
Code: b5 19 f5 ff 48 8b 7c 24 08 48 89 f8 48 c1 e8 03 42 0f b6 14 38
48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0c 07 00 00 <8b> 43
04 31 ff 89 c6 89 44 24 08 e8 df 69 9b ff 8b 44 24 08 85 c0
RSP: 0018:ffffc9000e3a78a8 EFLAGS: 00010246
RAX: 0000000000000007 RBX: ffff888101c7e678 RCX: ffffffff81f0d92b
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888101c7e67c
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffed102038fccf
R10: ffff888101c7e67f R11: 0000000000000000 R12: 0000000000000000
R13: ffff888101c7e630 R14: 0000000000000001 R15: dffffc0000000000
FS: 00007f0b23200700(0000) GS:ffff888063600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff21622aee0 CR3: 00000001065f6000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<NMI>
</NMI>
<TASK>
__page_table_check_pte_clear+0xfc/0x110 mm/page_table_check.c:158
page_table_check_pte_clear include/linux/page_table_check.h:49 [inline]
ptep_get_and_clear arch/x86/include/asm/pgtable.h:1279 [inline]
__ptep_modify_prot_start include/linux/pgtable.h:1199 [inline]
ptep_modify_prot_start include/linux/pgtable.h:1232 [inline]
change_pte_range mm/mprotect.c:166 [inline]
change_pmd_range mm/mprotect.c:422 [inline]
change_pud_range mm/mprotect.c:455 [inline]
change_p4d_range mm/mprotect.c:478 [inline]
change_protection_range mm/mprotect.c:506 [inline]
change_protection+0x1d1a/0x2f40 mm/mprotect.c:540
change_prot_numa+0xaf/0x140 mm/mempolicy.c:679
task_numa_work+0x878/0x14d0 kernel/sched/fair.c:3375
task_work_run+0x169/0x260 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xdb/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b2458cfef
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54
24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
RSP: 002b:00007f0b231ff830 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: 0000000000001000 RBX: 0000000000001000 RCX: 00007f0b2458cfef
RDX: 0000000000001000 RSI: 00007f0b1002bee0 RDI: 000000000000000b
RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f0b1002bee0
R13: 0000000000000000 R14: 0000000000000037 R15: 00007f0b1002bc20
</TASK>
======================================================
Wishing you a nice day!
Best,
Marius
// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <pthread.h> #include <sched.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mount.h> #include <sys/prctl.h> #include <sys/resource.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/time.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #include <linux/capability.h> #include <linux/futex.h> static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define MAX_FDS 30 static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); setup_binderfs(); loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 6; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); close_fds(); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000080, "/dev/nbd#\000", 10); res = -1; res = syz_open_dev(/*dev=*/0x20000080, /*id=*/0, /*flags=*/0); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=*/1ul, /*proto=*/0, /*fds=*/0x20002080ul); if (res != -1) r[1] = *(uint32_t*)0x20002080; break; case 2: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xab00, /*arg=*/r[1]); break; case 3: memcpy((void*)0x20000080, "/dev/nbd#\000", 10); res = -1; res = syz_open_dev(/*dev=*/0x20000080, /*id=*/0, /*flags=*/0); if (res != -1) r[2] = res; break; case 4: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xab03, 0); break; case 5: syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xab07, /*arg=*/6ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); do_sandbox_none(); return 0; }
Attachment:
repro.syz
Description: Binary data
Attachment:
config-6.9-rc4
Description: Binary data
