Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: INFO: task hung in __floppy_read_block_0 affected file: drivers/block/floppy.c kernel version: 5.19-rc6 kernel commit: 32346491ddf24599decca06190ebca03ff9de7f8 git tree: upstream kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=cd73026ceaed1402 crash reproducer: attached ====================================================== Crash log: ====================================================== INFO: task syz-executor.1:9482 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:27528 pid: 9482 ppid: 5005 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_timeout+0x5e5/0x890 kernel/time/timer.c:1911 do_wait_for_common kernel/sched/completion.c:85 [inline] __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion+0x182/0x360 kernel/sched/completion.c:138 __floppy_read_block_0+0x1dd/0x290 drivers/block/floppy.c:4162 floppy_revalidate+0x74f/0xa90 drivers/block/floppy.c:4206 invalidate_drive+0xeb/0x120 drivers/block/floppy.c:3219 fd_locked_ioctl+0xac1/0x1720 drivers/block/floppy.c:3467 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3574 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70548d4ed RSP: 002b:00007fa706530be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fa7055abf60 RCX: 00007fa70548d4ed RDX: 0000000000000000 RSI: 0000000000000241 RDI: 0000000000000003 RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9363b3ef R14: 00007fa7055abf60 R15: 00007fa706530d80 </TASK> INFO: task syz-executor.1:9490 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:28120 pid: 9490 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 blkdev_get_by_dev block/bdev.c:814 [inline] blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 blkdev_open+0x13c/0x2c0 block/fops.c:481 do_dentry_open+0x4a1/0x11f0 fs/open.c:848 do_open fs/namei.c:3520 [inline] path_openat+0x1c51/0x2890 fs/namei.c:3653 do_filp_open+0x1c1/0x290 fs/namei.c:3680 do_sys_openat2+0x61b/0x990 fs/open.c:1278 do_sys_open+0xc3/0x140 fs/open.c:1294 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70543caf4 RSP: 002b:00007fa70650f710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4 RDX: 0000000000000003 RSI: 00007fa70650f7b0 RDI: 00000000ffffff9c RBP: 00007fa70650f7b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 00007fff9363b3ef R14: 00007fa7055ac040 R15: 00007fa70650fd80 </TASK> INFO: task syz-executor.1:9498 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:29272 pid: 9498 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70548d4ed RSP: 002b:00007fa703a8bbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fa7055ac120 RCX: 00007fa70548d4ed RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000003 RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9363b3ef R14: 00007fa7055ac120 R15: 00007fa703a8bd80 </TASK> INFO: task syz-executor.1:9506 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:29272 pid: 9506 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70548d4ed RSP: 002b:00007fa70386abe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fa7055ac200 RCX: 00007fa70548d4ed RDX: 0000000000000000 RSI: 0000000000000247 RDI: 0000000000000003 RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9363b3ef R14: 00007fa7055ac200 R15: 00007fa70386ad80 </TASK> INFO: task syz-executor.1:9523 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:28120 pid: 9523 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 blkdev_get_by_dev block/bdev.c:814 [inline] blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 blkdev_open+0x13c/0x2c0 block/fops.c:481 do_dentry_open+0x4a1/0x11f0 fs/open.c:848 do_open fs/namei.c:3520 [inline] path_openat+0x1c51/0x2890 fs/namei.c:3653 do_filp_open+0x1c1/0x290 fs/namei.c:3680 do_sys_openat2+0x61b/0x990 fs/open.c:1278 do_sys_open+0xc3/0x140 fs/open.c:1294 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70543caf4 RSP: 002b:00007fa703649710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4 RDX: 0000000000000003 RSI: 00007fa7036497b0 RDI: 00000000ffffff9c RBP: 00007fa7036497b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 00007fff9363b3ef R14: 00007fa7055ac2e0 R15: 00007fa703649d80 </TASK> INFO: task syz-executor.1:9526 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:28120 pid: 9526 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 blkdev_get_by_dev block/bdev.c:814 [inline] blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 blkdev_open+0x13c/0x2c0 block/fops.c:481 do_dentry_open+0x4a1/0x11f0 fs/open.c:848 do_open fs/namei.c:3520 [inline] path_openat+0x1c51/0x2890 fs/namei.c:3653 do_filp_open+0x1c1/0x290 fs/namei.c:3680 do_sys_openat2+0x61b/0x990 fs/open.c:1278 do_sys_open+0xc3/0x140 fs/open.c:1294 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70543caf4 RSP: 002b:00007fa703428710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fa70543caf4 RDX: 0000000000000003 RSI: 00007fa7034287b0 RDI: 00000000ffffff9c RBP: 00007fa7034287b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 00007fff9363b3ef R14: 00007fa7055ac3c0 R15: 00007fa703428d80 </TASK> INFO: task syz-executor.1:9537 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:28584 pid: 9537 ppid: 5005 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 blkdev_ioctl+0x36e/0x800 block/ioctl.c:614 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa70548d4ed RSP: 002b:00007fa703207be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fa7055ac4a0 RCX: 00007fa70548d4ed RDX: 0000000020000200 RSI: 0000000040200242 RDI: 0000000000000003 RBP: 00007fa7054f92e1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9363b3ef R14: 00007fa7055ac4a0 R15: 00007fa703207d80 </TASK> INFO: task syz-executor.6:9486 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.6 state:D stack:28120 pid: 9486 ppid: 6033 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 floppy_open+0x7f/0xdb0 drivers/block/floppy.c:3994 blkdev_get_whole+0x99/0x260 block/bdev.c:673 blkdev_get_by_dev block/bdev.c:823 [inline] blkdev_get_by_dev+0x4a8/0xae0 block/bdev.c:787 blkdev_open+0x13c/0x2c0 block/fops.c:481 do_dentry_open+0x4a1/0x11f0 fs/open.c:848 do_open fs/namei.c:3520 [inline] path_openat+0x1c51/0x2890 fs/namei.c:3653 do_filp_open+0x1c1/0x290 fs/namei.c:3680 do_sys_openat2+0x61b/0x990 fs/open.c:1278 do_sys_open+0xc3/0x140 fs/open.c:1294 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f9e8623caf4 RSP: 002b:00007f9e8731f710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007f9e8623caf4 RDX: 0000000000000003 RSI: 00007f9e8731f7b0 RDI: 00000000ffffff9c RBP: 00007f9e8731f7b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 00007ffe6d243b2f R14: 00007f9e863abf60 R15: 00007f9e8731fd80 </TASK> INFO: task syz-executor.5:9503 blocked for more than 143 seconds. Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:28120 pid: 9503 ppid: 6502 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5146 [inline] __schedule+0xa76/0x5140 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xfa9/0x1f50 kernel/locking/mutex.c:747 blkdev_get_by_dev block/bdev.c:814 [inline] blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 blkdev_open+0x13c/0x2c0 block/fops.c:481 do_dentry_open+0x4a1/0x11f0 fs/open.c:848 do_open fs/namei.c:3520 [inline] path_openat+0x1c51/0x2890 fs/namei.c:3653 do_filp_open+0x1c1/0x290 fs/namei.c:3680 do_sys_openat2+0x61b/0x990 fs/open.c:1278 do_sys_open+0xc3/0x140 fs/open.c:1294 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fc9a783caf4 RSP: 002b:00007fc9a5f27710 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007fc9a783caf4 RDX: 0000000000000000 RSI: 00007fc9a5f277b0 RDI: 00000000ffffff9c RBP: 00007fc9a5f277b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007ffda907f81f R14: 00007fc9a79abf60 R15: 00007fc9a5f27d80 </TASK> Showing all locks held in the system: 2 locks held by kworker/u4:1/12: 1 lock held by khungtaskd/30: #0: ffffffff8bd83aa0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6491 1 lock held by in:imklog/6573: #0: ffff88810db62368 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe3/0x100 fs/file.c:1036 5 locks held by kworker/u4:4/8242: #0: ffff888063c39ed8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x120 kernel/sched/core.c:544 #1: ffff888063c277c8 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: process_one_work+0x8e4/0x1650 kernel/workqueue.c:2264 #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at: claim_dma_lock arch/x86/include/asm/dma.h:156 [inline] #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at: floppy_ready drivers/block/floppy.c:1946 [inline] #2: ffffffff8bdbc198 (dma_spin_lock){-.-.}-{2:2}, at: floppy_ready+0xb27/0x19b0 drivers/block/floppy.c:1926 #3: ffff888063c28398 (&base->lock){-.-.}-{2:2} , at: lock_timer_base+0x5a/0x1f0 kernel/time/timer.c:999 #4: ffffffff911ba350 (&obj_hash[i].lock ){-.-.}-{2:2}, at: console_lock_spinning_disable_and_check kernel/printk/printk.c:1830 [inline] ){-.-.}-{2:2}, at: console_emit_next_record.constprop.0+0x40a/0x840 kernel/printk/printk.c:2737 1 lock held by syz-executor.1/9482: #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at: fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 1 lock held by syz-executor.1/9490: #0: ffff8880174eb118 ( &disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline] &disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 1 lock held by syz-executor.1/9498: #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at: fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 1 lock held by syz-executor.1/9506: #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at: fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 1 lock held by syz-executor.1/9523: #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline] (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 1 lock held by syz-executor.1/9526: #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline] #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 1 lock held by syz-executor.1/9537: #0: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at: fd_ioctl+0x25/0x50 drivers/block/floppy.c:3573 2 locks held by syz-executor.6/9486: #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline] #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 #1: ffffffff8c8f20e8 (floppy_mutex){+.+.}-{3:3}, at: floppy_open+0x7f/0xdb0 drivers/block/floppy.c:3994 1 lock held by syz-executor.5/9503: #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev block/bdev.c:814 [inline] #0: ffff8880174eb118 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0x241/0xae0 block/bdev.c:787 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 30 Comm: khungtaskd Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x1a1/0x1e0 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline] watchdog+0xcc8/0x1010 kernel/hung_task.c:369 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 6574 Comm: rs:main Q:Reg Tainted: G OE 5.19.0-rc6-g2eae0556bb9d #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:__rq_lockp kernel/sched/sched.h:1179 [inline] RIP: 0010:rq_pin_lock kernel/sched/sched.h:1525 [inline] RIP: 0010:rq_lock_irqsave kernel/sched/sched.h:1587 [inline] RIP: 0010:sched_ttwu_pending+0x114/0x570 kernel/sched/core.c:3741 Code: 00 00 00 00 00 00 00 9c 5d fa f7 c5 00 02 00 00 0f 85 12 03 00 00 31 f6 4c 89 ff e8 e6 ad fe ff 49 8d 87 58 0d 00 00 48 89 c2 <48> 89 44 24 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 48 89 6c RSP: 0018:ffffc90000007d90 EFLAGS: 00000093 RAX: ffff888063c3ac18 RBX: ffff88812cffd8b8 RCX: 0000000000000000 RDX: ffff888063c3ac18 RSI: 0000000000000003 RDI: 0000000000000001 RBP: 0000000000000046 R08: fffff52000000f9c R09: fffff52000000f9d R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 1ffff92000000fb9 R14: ffff88812cffd8c0 R15: ffff888063c39ec0 FS: 00007f6eca9fd700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ec0000000 CR3: 000000001700a000 CR4: 0000000000150ef0 Call Trace: <IRQ> __flush_smp_call_function_queue+0x451/0x9a0 kernel/smp.c:681 __sysvec_call_function_single+0x95/0x3e0 arch/x86/kernel/smp.c:248 sysvec_call_function_single+0x40/0xc0 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x1b/0x20 arch/x86/include/asm/idtentry.h:657 RIP: 0010:__do_softirq+0x193/0x908 kernel/softirq.c:557 Code: 89 5c 24 08 48 89 44 24 18 48 c7 c7 60 1a cb 89 e8 d2 2d da ff 65 66 c7 05 f8 92 63 76 00 00 e8 b3 07 e1 f7 fb b8 ff ff ff ff <48> c7 c3 c0 a0 a0 8b 41 0f bc c5 41 89 c7 41 83 c7 01 0f 85 ad 00 RSP: 0018:ffffc90000007f80 EFLAGS: 00000206 RAX: 00000000ffffffff RBX: ffff88810a591d80 RCX: 1ffffffff20d7bd6 RDX: 0000000000000000 RSI: 0000000000000101 RDI: 0000000000000000 RBP: ffffc9000386f648 R08: 0000000000000001 R09: fffffbfff20d0135 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu kernel/softirq.c:650 [inline] irq_exit_rcu+0xf2/0x130 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:lock_is_held_type+0xff/0x140 kernel/locking/lockdep.c:5713 Code: 00 00 b8 ff ff ff ff 65 0f c1 05 14 57 88 76 83 f8 01 75 29 9c 58 f6 c4 02 75 3d 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ed eb b9 0f 0b 48 RSP: 0018:ffffc9000386f6f0 EFLAGS: 00000296 RAX: 0000000000000046 RBX: 0000000000000004 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffffff8bd839e0 R08: fffffbfff1b7619a R09: fffffbfff1b7619b R10: 0000000000000001 R11: 000000000008a07a R12: ffff88810a591d80 R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88810a592858 lock_is_held include/linux/lockdep.h:279 [inline] rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:125 trace_lock_release include/trace/events/lock.h:69 [inline] lock_release+0x524/0x6d0 kernel/locking/lockdep.c:5676 rcu_lock_release include/linux/rcupdate.h:274 [inline] rcu_read_unlock include/linux/rcupdate.h:728 [inline] mapping_get_entry mm/filemap.c:1902 [inline] __filemap_get_folio+0x345/0x1210 mm/filemap.c:1946 pagecache_get_page+0x2e/0x290 mm/folio-compat.c:126 ext4_da_write_begin+0x3f9/0xaf0 fs/ext4/inode.c:2977 generic_perform_write+0x240/0x570 mm/filemap.c:3779 ext4_buffered_write_iter+0x11d/0x2e0 fs/ext4/file.c:270 ext4_file_write_iter+0x448/0x14e0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2058 [inline] new_sync_write+0x393/0x570 fs/read_write.c:504 vfs_write+0x7c4/0xab0 fs/read_write.c:591 ksys_write+0x127/0x250 fs/read_write.c:644 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f6ecf2101cd Code: c2 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 f7 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f6eca9fc590 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f6ec00243f0 RCX: 00007f6ecf2101cd RDX: 0000000000000310 RSI: 00007f6ec00243f0 RDI: 0000000000000009 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f6ec0024170 R13: 00007f6eca9fc5b0 R14: 000055b91e051440 R15: 0000000000000310 </TASK> ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 00 00 add %al,(%rax) 2: 00 00 add %al,(%rax) 4: 00 00 add %al,(%rax) 6: 9c pushfq 7: 5d pop %rbp 8: fa cli 9: f7 c5 00 02 00 00 test $0x200,%ebp f: 0f 85 12 03 00 00 jne 0x327 15: 31 f6 xor %esi,%esi 17: 4c 89 ff mov %r15,%rdi 1a: e8 e6 ad fe ff callq 0xfffeae05 1f: 49 8d 87 58 0d 00 00 lea 0xd58(%r15),%rax 26: 48 89 c2 mov %rax,%rdx * 29: 48 89 44 24 08 mov %rax,0x8(%rsp) <-- trapping instruction 2e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 35: fc ff df 38: 48 c1 ea 03 shr $0x3,%rdx 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 6c insb (%dx),%es:(%rdi) -- Thanks and Regards, Dipanjan
Attachment:
repro.syz
Description: Binary data
// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/prctl.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x200000c0, "/dev/fd#\000", 9); res = -1; res = syz_open_dev(0x200000c0, 0, 3); if (res != -1) r[0] = res; *(uint8_t*)0x20000100 = 0x80; *(uint64_t*)0x20000108 = 7; *(uint64_t*)0x20000110 = 9; *(uint64_t*)0x20000118 = 5; *(uint64_t*)0x20000120 = 7; *(uint64_t*)0x20000128 = 1; *(uint64_t*)0x20000130 = 4; *(uint8_t*)0x20000138 = 1; *(uint8_t*)0x20000139 = 8; *(uint8_t*)0x2000013a = 1; *(uint8_t*)0x2000013b = 4; *(uint64_t*)0x20000140 = 0x7fff; *(uint8_t*)0x20000148 = 0x1a; *(uint32_t*)0x2000014c = 0x7ff; *(uint32_t*)0x20000150 = 2; *(uint32_t*)0x20000154 = 0; *(uint32_t*)0x20000158 = 0x800; *(uint32_t*)0x2000015c = -1; *(uint8_t*)0x20000160 = 0x20; *(uint8_t*)0x20000161 = 7; *(uint16_t*)0x20000162 = 8; *(uint16_t*)0x20000164 = 2; *(uint16_t*)0x20000166 = 9; *(uint16_t*)0x20000168 = 4; *(uint16_t*)0x2000016a = 0; *(uint16_t*)0x2000016c = 8; *(uint16_t*)0x2000016e = 1; *(uint16_t*)0x20000170 = 0; *(uint32_t*)0x20000174 = 0x2008; *(uint32_t*)0x20000178 = 0; syscall(__NR_ioctl, r[0], 0x40800290, 0x20000100ul); memcpy((void*)0x200000c0, "/dev/fd#\000", 9); res = -1; res = syz_open_dev(0x200000c0, 0, 3); if (res != -1) r[1] = res; syscall(__NR_ioctl, r[1], 0x249, 0); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); loop(); return 0; }
