Dear Linux Developer, Recently when using our tool to fuzz kernel, the following crash was triggered: HEAD commit: 64570fbc14f8 Linux 5.15-rc5 git tree: upstream compiler: gcc 8.0.1 console output: https://drive.google.com/file/d/1tgzWXmjFknwTTo-Y7gSi48OdM7kyVrxb/view?usp=share_link kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: Wei Chen <harperchen1110@xxxxxxxxx> INFO: task syz-executor.0:6566 blocked for more than 143 seconds. Not tainted 5.15.0-rc5 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:10408 pid: 6566 ppid: 1 flags:0x00004004 Call Trace: __schedule+0x4a1/0x1720 schedule+0x36/0xe0 rwsem_down_write_slowpath+0x322/0x7a0 fuse_mount_remove+0x26/0x90 fuse_sb_destroy+0x23/0x50 fuse_kill_sb_anon+0x11/0x20 deactivate_locked_super+0x42/0x90 deactivate_super+0x9d/0xb0 cleanup_mnt+0x153/0x1d0 task_work_run+0x86/0xe0 exit_to_user_mode_prepare+0x25e/0x280 syscall_exit_to_user_mode+0x19/0x60 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46aba7 RSP: 002b:00007ffdca8286e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000046aba7 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffdca8287a0 RBP: 00007ffdca8298a0 R08: 0000000002d3ddd3 R09: 000000000000000c R10: 00000000fffffffb R11: 0000000000000246 R12: 0000000002d3dd00 R13: 0000000000000002 R14: 0000000000000032 R15: 0000000000000bb8 Showing all locks held in the system: 1 lock held by khungtaskd/29: #0: ffffffff8641dee0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0x17a 1 lock held by in:imklog/6175: #0: ffff888013fda6f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x92/0xa0 2 locks held by agetty/6224: #0: ffff888013f03098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x20/0x50 #1: ffffc900008472e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x203/0x930 2 locks held by agetty/6232: #0: ffff88810ac7d898 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x20/0x50 #1: ffffc9000084b2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x203/0x930 2 locks held by syz-executor.0/6566: #0: ffff88802dbeb0e0 (&type->s_umount_key#53){+.+.}-{3:3}, at: deactivate_super+0x95/0xb0 #1: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at: fuse_mount_remove+0x26/0x90 1 lock held by syz-executor.0/1879: #0: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at: fuse_dev_do_write+0x532/0x14f0 ============================================= NMI backtrace for cpu 0 CPU: 0 PID: 29 Comm: khungtaskd Not tainted 5.15.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0xcd/0x134 nmi_cpu_backtrace.cold.8+0xf3/0x118 nmi_trigger_cpumask_backtrace+0x18f/0x1c0 watchdog+0x9a0/0xb10 kthread+0x1a6/0x1e0 ret_from_fork+0x1f/0x30 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 10409 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:perf_trace_lock_acquire+0x156/0x1a0 Code: 00 53 e8 5d 47 1d 00 5e 5f 48 8b 45 d0 65 48 33 04 25 28 00 00 00 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 03 <48> 85 c0 0f 85 1c ff ff ff eb d4 41 bd 18 00 07 00 41 bc 06 00 00 RSP: 0000:ffffc90002d97c80 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffffe8ffffc42d38 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc90002d97cd8 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000005 R11: 0000000000000000 R12: 000000000000000e R13: 00000000000f0018 R14: ffffffff86338f00 R15: ffff88810ae79b28 FS: 00007f9a23fd1700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000110c96000 CR4: 00000000003526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x184/0x330 __might_fault+0x92/0xc0 copy_fpstate_to_sigframe+0x5a8/0x680 get_sigframe.isra.16+0xb1/0x1b0 arch_do_signal_or_restart+0x53a/0x870 exit_to_user_mode_prepare+0x138/0x280 irqentry_exit_to_user_mode+0x5/0x40 exc_page_fault+0x4a4/0x1130 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x4064fb Code: c7 f0 fe ff ff e8 65 06 02 00 85 c0 0f 84 95 01 00 00 64 f0 83 2c 25 b8 ff ff ff 01 48 8b 54 24 18 48 8b 44 24 28 4c 8b 42 78 <8b> 00 49 83 f8 ff 89 82 80 00 00 00 0f 84 13 01 00 00 48 8b 44 24 RSP: 002b:00007f9a23fd0c40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 000000000119bfa0 RDX: 000000000119bfa0 RSI: 0000000000000001 RDI: 00007f9a23fd15f0 RBP: 000000000119bfa8 R08: 0000000000000000 R09: 000000000119bfa8 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007ffdca829770 ---------------- Code disassembly (best guess): 0: 00 53 e8 add %dl,-0x18(%rbx) 3: 5d pop %rbp 4: 47 1d 00 5e 5f 48 rex.RXB sbb $0x485f5e00,%eax a: 8b 45 d0 mov -0x30(%rbp),%eax d: 65 48 33 04 25 28 00 xor %gs:0x28,%rax 14: 00 00 16: 75 4a jne 0x62 18: 48 8d 65 d8 lea -0x28(%rbp),%rsp 1c: 5b pop %rbx 1d: 41 5c pop %r12 1f: 41 5d pop %r13 21: 41 5e pop %r14 23: 41 5f pop %r15 25: 5d pop %rbp 26: c3 retq 27: 48 8b 03 mov (%rbx),%rax * 2a: 48 85 c0 test %rax,%rax <-- trapping instruction 2d: 0f 85 1c ff ff ff jne 0xffffff4f 33: eb d4 jmp 0x9 35: 41 bd 18 00 07 00 mov $0x70018,%r13d 3b: 41 rex.B 3c: bc .byte 0xbc 3d: 06 (bad) Best, Wei
