Re: INFO: task hung in fuse_sb_destroy
Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com Tested on: commit: 59fc453b21f7 Merge branch 'akpm' (patches from Andrew) git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 compiler: gcc (GCC) 8.0.1 20180413 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=15b6042b40 Note: testing is done by a robot and is best-effort only.
Re: INFO: task hung in fuse_sb_destroy
Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com Tested on: commit: 59fc453b21f7 Merge branch 'akpm' (patches from Andrew) git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 compiler: gcc (GCC) 8.0.1 20180413 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=15b6042b40 Note: testing is done by a robot and is best-effort only.
Re: INFO: task hung in fuse_sb_destroy
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
59fc453b21f7
---
fs/fuse/dev.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1768,8 +1768,10 @@ static int fuse_retrieve(struct fuse_con
req->in.args[1].size = total_len;
err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
- if (err)
+ if (err) {
fuse_retrieve_end(fc, req);
+ fuse_put_request(fc, req);
+ }
return err;
}
Re: INFO: task hung in fuse_sb_destroy
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
59fc453b21f7
---
fs/fuse/dev.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1768,8 +1768,10 @@ static int fuse_retrieve(struct fuse_con
req->in.args[1].size = total_len;
err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
- if (err)
+ if (err) {
fuse_retrieve_end(fc, req);
+ fuse_put_request(fc, req);
+ }
return err;
}
Re: INFO: task hung in fuse_sb_destroy
On Mon, Nov 5, 2018 at 4:03 AM, Miklos Szeredi wrote: > On Mon, Nov 5, 2018 at 11:40 AM, Miklos Szeredi wrote: >> On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote: >>> On Thu, Nov 1, 2018 at 11:49 AM, syzbot >>> wrote: Hello, syzbot found the following crash on: HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740 kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340 >>> >>> >>> I can easily reproduce this. >> >> I can't reproduce on my meager dual core notebook. >> >>> >>> The repro gives me a task hanged at: >>> >>> # cat /proc/7563/task/*/stack >>> [<0>] fuse_wait_aborted+0x20b/0x320 >>> [<0>] fuse_sb_destroy+0xe2/0x1d0 >>> [<0>] fuse_kill_sb_anon+0x15/0x20 >>> [<0>] deactivate_locked_super+0x97/0x100 >>> [<0>] deactivate_super+0x2bb/0x320 >>> [<0>] cleanup_mnt+0xbf/0x160 >>> [<0>] __cleanup_mnt+0x16/0x20 >>> [<0>] task_work_run+0x1e8/0x2a0 >>> [<0>] exit_to_usermode_loop+0x318/0x380 >>> [<0>] do_syscall_64+0x6be/0x820 >>> [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> [<0>] 0x >>> >>> I double checked that writing to /sys/fs/fuse/connections/44/abort did >>> not help (the only entry in fuse/connections). Wrote multiple times, >>> and tried to kill the task, nothing helps. >> >> What's the output of >> >> cat /sys/fs/fuse/connections/NN/waiting >> >> ? > > I think I found the culprit. Does the attached patch fix it? Hi Miklos, I am travelling for next weeks, but you can ask syzbot to test any patches: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
Re: INFO: task hung in fuse_sb_destroy
On Mon, Nov 5, 2018 at 4:03 AM, Miklos Szeredi wrote: > On Mon, Nov 5, 2018 at 11:40 AM, Miklos Szeredi wrote: >> On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote: >>> On Thu, Nov 1, 2018 at 11:49 AM, syzbot >>> wrote: Hello, syzbot found the following crash on: HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740 kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340 >>> >>> >>> I can easily reproduce this. >> >> I can't reproduce on my meager dual core notebook. >> >>> >>> The repro gives me a task hanged at: >>> >>> # cat /proc/7563/task/*/stack >>> [<0>] fuse_wait_aborted+0x20b/0x320 >>> [<0>] fuse_sb_destroy+0xe2/0x1d0 >>> [<0>] fuse_kill_sb_anon+0x15/0x20 >>> [<0>] deactivate_locked_super+0x97/0x100 >>> [<0>] deactivate_super+0x2bb/0x320 >>> [<0>] cleanup_mnt+0xbf/0x160 >>> [<0>] __cleanup_mnt+0x16/0x20 >>> [<0>] task_work_run+0x1e8/0x2a0 >>> [<0>] exit_to_usermode_loop+0x318/0x380 >>> [<0>] do_syscall_64+0x6be/0x820 >>> [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> [<0>] 0x >>> >>> I double checked that writing to /sys/fs/fuse/connections/44/abort did >>> not help (the only entry in fuse/connections). Wrote multiple times, >>> and tried to kill the task, nothing helps. >> >> What's the output of >> >> cat /sys/fs/fuse/connections/NN/waiting >> >> ? > > I think I found the culprit. Does the attached patch fix it? Hi Miklos, I am travelling for next weeks, but you can ask syzbot to test any patches: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
Re: INFO: task hung in fuse_sb_destroy
On Mon, Nov 5, 2018 at 11:40 AM, Miklos Szeredi wrote:
> On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote:
>> On Thu, Nov 1, 2018 at 11:49 AM, syzbot
>> wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
>>
>>
>> I can easily reproduce this.
>
> I can't reproduce on my meager dual core notebook.
>
>>
>> The repro gives me a task hanged at:
>>
>> # cat /proc/7563/task/*/stack
>> [<0>] fuse_wait_aborted+0x20b/0x320
>> [<0>] fuse_sb_destroy+0xe2/0x1d0
>> [<0>] fuse_kill_sb_anon+0x15/0x20
>> [<0>] deactivate_locked_super+0x97/0x100
>> [<0>] deactivate_super+0x2bb/0x320
>> [<0>] cleanup_mnt+0xbf/0x160
>> [<0>] __cleanup_mnt+0x16/0x20
>> [<0>] task_work_run+0x1e8/0x2a0
>> [<0>] exit_to_usermode_loop+0x318/0x380
>> [<0>] do_syscall_64+0x6be/0x820
>> [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> [<0>] 0x
>>
>> I double checked that writing to /sys/fs/fuse/connections/44/abort did
>> not help (the only entry in fuse/connections). Wrote multiple times,
>> and tried to kill the task, nothing helps.
>
> What's the output of
>
> cat /sys/fs/fuse/connections/NN/waiting
>
> ?
I think I found the culprit. Does the attached patch fix it?
Thanks,
Miklos
---
fs/fuse/dev.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1715,8 +1715,10 @@ static int fuse_retrieve(struct fuse_con
req->in.args[1].size = total_len;
err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
- if (err)
+ if (err) {
fuse_retrieve_end(fc, req);
+ fuse_put_request(fc, req);
+ }
return err;
}
Re: INFO: task hung in fuse_sb_destroy
On Mon, Nov 5, 2018 at 11:40 AM, Miklos Szeredi wrote:
> On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote:
>> On Thu, Nov 1, 2018 at 11:49 AM, syzbot
>> wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
>>
>>
>> I can easily reproduce this.
>
> I can't reproduce on my meager dual core notebook.
>
>>
>> The repro gives me a task hanged at:
>>
>> # cat /proc/7563/task/*/stack
>> [<0>] fuse_wait_aborted+0x20b/0x320
>> [<0>] fuse_sb_destroy+0xe2/0x1d0
>> [<0>] fuse_kill_sb_anon+0x15/0x20
>> [<0>] deactivate_locked_super+0x97/0x100
>> [<0>] deactivate_super+0x2bb/0x320
>> [<0>] cleanup_mnt+0xbf/0x160
>> [<0>] __cleanup_mnt+0x16/0x20
>> [<0>] task_work_run+0x1e8/0x2a0
>> [<0>] exit_to_usermode_loop+0x318/0x380
>> [<0>] do_syscall_64+0x6be/0x820
>> [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> [<0>] 0x
>>
>> I double checked that writing to /sys/fs/fuse/connections/44/abort did
>> not help (the only entry in fuse/connections). Wrote multiple times,
>> and tried to kill the task, nothing helps.
>
> What's the output of
>
> cat /sys/fs/fuse/connections/NN/waiting
>
> ?
I think I found the culprit. Does the attached patch fix it?
Thanks,
Miklos
---
fs/fuse/dev.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1715,8 +1715,10 @@ static int fuse_retrieve(struct fuse_con
req->in.args[1].size = total_len;
err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
- if (err)
+ if (err) {
fuse_retrieve_end(fc, req);
+ fuse_put_request(fc, req);
+ }
return err;
}
Re: INFO: task hung in fuse_sb_destroy
On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote: > On Thu, Nov 1, 2018 at 11:49 AM, syzbot > wrote: >> Hello, >> >> syzbot found the following crash on: >> >> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew) >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740 >> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 >> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340 > > > I can easily reproduce this. I can't reproduce on my meager dual core notebook. > > The repro gives me a task hanged at: > > # cat /proc/7563/task/*/stack > [<0>] fuse_wait_aborted+0x20b/0x320 > [<0>] fuse_sb_destroy+0xe2/0x1d0 > [<0>] fuse_kill_sb_anon+0x15/0x20 > [<0>] deactivate_locked_super+0x97/0x100 > [<0>] deactivate_super+0x2bb/0x320 > [<0>] cleanup_mnt+0xbf/0x160 > [<0>] __cleanup_mnt+0x16/0x20 > [<0>] task_work_run+0x1e8/0x2a0 > [<0>] exit_to_usermode_loop+0x318/0x380 > [<0>] do_syscall_64+0x6be/0x820 > [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe > [<0>] 0x > > I double checked that writing to /sys/fs/fuse/connections/44/abort did > not help (the only entry in fuse/connections). Wrote multiple times, > and tried to kill the task, nothing helps. What's the output of cat /sys/fs/fuse/connections/NN/waiting ? Thanks, Miklos
Re: INFO: task hung in fuse_sb_destroy
On Thu, Nov 1, 2018 at 12:05 PM, Dmitry Vyukov wrote: > On Thu, Nov 1, 2018 at 11:49 AM, syzbot > wrote: >> Hello, >> >> syzbot found the following crash on: >> >> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew) >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740 >> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8 >> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340 > > > I can easily reproduce this. I can't reproduce on my meager dual core notebook. > > The repro gives me a task hanged at: > > # cat /proc/7563/task/*/stack > [<0>] fuse_wait_aborted+0x20b/0x320 > [<0>] fuse_sb_destroy+0xe2/0x1d0 > [<0>] fuse_kill_sb_anon+0x15/0x20 > [<0>] deactivate_locked_super+0x97/0x100 > [<0>] deactivate_super+0x2bb/0x320 > [<0>] cleanup_mnt+0xbf/0x160 > [<0>] __cleanup_mnt+0x16/0x20 > [<0>] task_work_run+0x1e8/0x2a0 > [<0>] exit_to_usermode_loop+0x318/0x380 > [<0>] do_syscall_64+0x6be/0x820 > [<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe > [<0>] 0x > > I double checked that writing to /sys/fs/fuse/connections/44/abort did > not help (the only entry in fuse/connections). Wrote multiple times, > and tried to kill the task, nothing helps. What's the output of cat /sys/fs/fuse/connections/NN/waiting ? Thanks, Miklos
Re: INFO: task hung in fuse_sb_destroy
On Thu, Nov 1, 2018 at 11:49 AM, syzbot
wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
I can easily reproduce this.
The repro gives me a task hanged at:
# cat /proc/7563/task/*/stack
[<0>] fuse_wait_aborted+0x20b/0x320
[<0>] fuse_sb_destroy+0xe2/0x1d0
[<0>] fuse_kill_sb_anon+0x15/0x20
[<0>] deactivate_locked_super+0x97/0x100
[<0>] deactivate_super+0x2bb/0x320
[<0>] cleanup_mnt+0xbf/0x160
[<0>] __cleanup_mnt+0x16/0x20
[<0>] task_work_run+0x1e8/0x2a0
[<0>] exit_to_usermode_loop+0x318/0x380
[<0>] do_syscall_64+0x6be/0x820
[<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<0>] 0x
I double checked that writing to /sys/fs/fuse/connections/44/abort did
not help (the only entry in fuse/connections). Wrote multiple times,
and tried to kill the task, nothing helps.
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com
>
> INFO: task syz-executor221:17414 blocked for more than 140 seconds.
> Not tainted 4.19.0+ #313
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> syz-executor221 D23048 17414 5652 0x0004
> Call Trace:
> context_switch kernel/sched/core.c:2831 [inline]
> __schedule+0x8cf/0x21d0 kernel/sched/core.c:3472
> schedule+0xfe/0x460 kernel/sched/core.c:3516
> fuse_wait_aborted+0x20b/0x320 fs/fuse/dev.c:2155
> fuse_sb_destroy+0xe2/0x1d0 fs/fuse/inode.c:1224
> fuse_kill_sb_anon+0x15/0x20 fs/fuse/inode.c:1234
> deactivate_locked_super+0x97/0x100 fs/super.c:329
> deactivate_super+0x2bb/0x320 fs/super.c:360
> cleanup_mnt+0xbf/0x160 fs/namespace.c:1098
> __cleanup_mnt+0x16/0x20 fs/namespace.c:1105
> task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
> prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
> syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
> do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x446689
> Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:7f621e979da8 EFLAGS: 0293 ORIG_RAX: 00a6
> RAX: RBX: 006dbc28 RCX: 00446689
> RDX: 00446689 RSI: 000a RDI: 2180
> RBP: 006dbc20 R08: R09:
> R10: R11: 0293 R12: 006dbc2c
> R13: 0030656c69662f2e R14: 65646f6d746f6f72 R15:
>
> Showing all locks held in the system:
> 1 lock held by khungtaskd/1009:
> #0: 95618e4f (rcu_read_lock){}, at:
> debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4379
> 5 locks held by rsyslogd/5530:
> #0: 28bad575 (>f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
> fs/file.c:766
> #1: e31592cd (>lock){-.-.}, at: rq_lock
> kernel/sched/sched.h:1126 [inline]
> #1: e31592cd (>lock){-.-.}, at: __schedule+0x236/0x21d0
> kernel/sched/core.c:3410
> #2: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
> include/trace/events/sched.h:418 [inline]
> #2: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
> kernel/sched/fair.c:830
> #3: e31592cd (>lock){-.-.}, at: rq_lock
> kernel/sched/sched.h:1126 [inline]
> #3: e31592cd (>lock){-.-.}, at: ttwu_queue
> kernel/sched/core.c:1845 [inline]
> #3: e31592cd (>lock){-.-.}, at: try_to_wake_up+0x9f6/0x1490
> kernel/sched/core.c:2057
> #4: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
> include/trace/events/sched.h:418 [inline]
> #4: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
> kernel/sched/fair.c:830
> 2 locks held by getty/5620:
> #0: 492d5ad8 (>ldisc_sem){}, at: ldsem_down_read+0x32/0x40
> drivers/tty/tty_ldsem.c:353
> #1: 88c4d769 (>atomic_read_lock){+.+.}, at:
> n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
> 2 locks held by getty/5621:
> #0: ed56cf3c (>ldisc_sem){}, at: ldsem_down_read+0x32/0x40
> drivers/tty/tty_ldsem.c:353
> #1: a8112d49 (>atomic_read_lock){+.+.}, at:
> n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
> 2 locks held by
Re: INFO: task hung in fuse_sb_destroy
On Thu, Nov 1, 2018 at 11:49 AM, syzbot
wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
> kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
I can easily reproduce this.
The repro gives me a task hanged at:
# cat /proc/7563/task/*/stack
[<0>] fuse_wait_aborted+0x20b/0x320
[<0>] fuse_sb_destroy+0xe2/0x1d0
[<0>] fuse_kill_sb_anon+0x15/0x20
[<0>] deactivate_locked_super+0x97/0x100
[<0>] deactivate_super+0x2bb/0x320
[<0>] cleanup_mnt+0xbf/0x160
[<0>] __cleanup_mnt+0x16/0x20
[<0>] task_work_run+0x1e8/0x2a0
[<0>] exit_to_usermode_loop+0x318/0x380
[<0>] do_syscall_64+0x6be/0x820
[<0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<0>] 0x
I double checked that writing to /sys/fs/fuse/connections/44/abort did
not help (the only entry in fuse/connections). Wrote multiple times,
and tried to kill the task, nothing helps.
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com
>
> INFO: task syz-executor221:17414 blocked for more than 140 seconds.
> Not tainted 4.19.0+ #313
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> syz-executor221 D23048 17414 5652 0x0004
> Call Trace:
> context_switch kernel/sched/core.c:2831 [inline]
> __schedule+0x8cf/0x21d0 kernel/sched/core.c:3472
> schedule+0xfe/0x460 kernel/sched/core.c:3516
> fuse_wait_aborted+0x20b/0x320 fs/fuse/dev.c:2155
> fuse_sb_destroy+0xe2/0x1d0 fs/fuse/inode.c:1224
> fuse_kill_sb_anon+0x15/0x20 fs/fuse/inode.c:1234
> deactivate_locked_super+0x97/0x100 fs/super.c:329
> deactivate_super+0x2bb/0x320 fs/super.c:360
> cleanup_mnt+0xbf/0x160 fs/namespace.c:1098
> __cleanup_mnt+0x16/0x20 fs/namespace.c:1105
> task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
> prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
> syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
> do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x446689
> Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:7f621e979da8 EFLAGS: 0293 ORIG_RAX: 00a6
> RAX: RBX: 006dbc28 RCX: 00446689
> RDX: 00446689 RSI: 000a RDI: 2180
> RBP: 006dbc20 R08: R09:
> R10: R11: 0293 R12: 006dbc2c
> R13: 0030656c69662f2e R14: 65646f6d746f6f72 R15:
>
> Showing all locks held in the system:
> 1 lock held by khungtaskd/1009:
> #0: 95618e4f (rcu_read_lock){}, at:
> debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4379
> 5 locks held by rsyslogd/5530:
> #0: 28bad575 (>f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
> fs/file.c:766
> #1: e31592cd (>lock){-.-.}, at: rq_lock
> kernel/sched/sched.h:1126 [inline]
> #1: e31592cd (>lock){-.-.}, at: __schedule+0x236/0x21d0
> kernel/sched/core.c:3410
> #2: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
> include/trace/events/sched.h:418 [inline]
> #2: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
> kernel/sched/fair.c:830
> #3: e31592cd (>lock){-.-.}, at: rq_lock
> kernel/sched/sched.h:1126 [inline]
> #3: e31592cd (>lock){-.-.}, at: ttwu_queue
> kernel/sched/core.c:1845 [inline]
> #3: e31592cd (>lock){-.-.}, at: try_to_wake_up+0x9f6/0x1490
> kernel/sched/core.c:2057
> #4: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
> include/trace/events/sched.h:418 [inline]
> #4: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
> kernel/sched/fair.c:830
> 2 locks held by getty/5620:
> #0: 492d5ad8 (>ldisc_sem){}, at: ldsem_down_read+0x32/0x40
> drivers/tty/tty_ldsem.c:353
> #1: 88c4d769 (>atomic_read_lock){+.+.}, at:
> n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
> 2 locks held by getty/5621:
> #0: ed56cf3c (>ldisc_sem){}, at: ldsem_down_read+0x32/0x40
> drivers/tty/tty_ldsem.c:353
> #1: a8112d49 (>atomic_read_lock){+.+.}, at:
> n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
> 2 locks held by
INFO: task hung in fuse_sb_destroy
Hello,
syzbot found the following crash on:
HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com
INFO: task syz-executor221:17414 blocked for more than 140 seconds.
Not tainted 4.19.0+ #313
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor221 D23048 17414 5652 0x0004
Call Trace:
context_switch kernel/sched/core.c:2831 [inline]
__schedule+0x8cf/0x21d0 kernel/sched/core.c:3472
schedule+0xfe/0x460 kernel/sched/core.c:3516
fuse_wait_aborted+0x20b/0x320 fs/fuse/dev.c:2155
fuse_sb_destroy+0xe2/0x1d0 fs/fuse/inode.c:1224
fuse_kill_sb_anon+0x15/0x20 fs/fuse/inode.c:1234
deactivate_locked_super+0x97/0x100 fs/super.c:329
deactivate_super+0x2bb/0x320 fs/super.c:360
cleanup_mnt+0xbf/0x160 fs/namespace.c:1098
__cleanup_mnt+0x16/0x20 fs/namespace.c:1105
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446689
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f621e979da8 EFLAGS: 0293 ORIG_RAX: 00a6
RAX: RBX: 006dbc28 RCX: 00446689
RDX: 00446689 RSI: 000a RDI: 2180
RBP: 006dbc20 R08: R09:
R10: R11: 0293 R12: 006dbc2c
R13: 0030656c69662f2e R14: 65646f6d746f6f72 R15:
Showing all locks held in the system:
1 lock held by khungtaskd/1009:
#0: 95618e4f (rcu_read_lock){}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4379
5 locks held by rsyslogd/5530:
#0: 28bad575 (>f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
#1: e31592cd (>lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1126 [inline]
#1: e31592cd (>lock){-.-.}, at: __schedule+0x236/0x21d0
kernel/sched/core.c:3410
#2: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
include/trace/events/sched.h:418 [inline]
#2: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
kernel/sched/fair.c:830
#3: e31592cd (>lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1126 [inline]
#3: e31592cd (>lock){-.-.}, at: ttwu_queue
kernel/sched/core.c:1845 [inline]
#3: e31592cd (>lock){-.-.}, at: try_to_wake_up+0x9f6/0x1490
kernel/sched/core.c:2057
#4: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
include/trace/events/sched.h:418 [inline]
#4: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
kernel/sched/fair.c:830
2 locks held by getty/5620:
#0: 492d5ad8 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 88c4d769 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5621:
#0: ed56cf3c (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: a8112d49 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5622:
#0: 858703c2 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: b20ff0f8 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5623:
#0: a0163126 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: cb4be99e (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5624:
#0: 6eab39a0 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 341e7ea5 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5625:
#0: e1bb9e75 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: e6c38e03 (>atomic_read_lock){+.+.}, at:
INFO: task hung in fuse_sb_destroy
Hello,
syzbot found the following crash on:
HEAD commit:59fc453b21f7 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fb244740
kernel config: https://syzkaller.appspot.com/x/.config?x=ea045471e4c756e8
dashboard link: https://syzkaller.appspot.com/bug?extid=6339eda9cb4ebbc4c37b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178a105d40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1665113340
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6339eda9cb4ebbc4c...@syzkaller.appspotmail.com
INFO: task syz-executor221:17414 blocked for more than 140 seconds.
Not tainted 4.19.0+ #313
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor221 D23048 17414 5652 0x0004
Call Trace:
context_switch kernel/sched/core.c:2831 [inline]
__schedule+0x8cf/0x21d0 kernel/sched/core.c:3472
schedule+0xfe/0x460 kernel/sched/core.c:3516
fuse_wait_aborted+0x20b/0x320 fs/fuse/dev.c:2155
fuse_sb_destroy+0xe2/0x1d0 fs/fuse/inode.c:1224
fuse_kill_sb_anon+0x15/0x20 fs/fuse/inode.c:1234
deactivate_locked_super+0x97/0x100 fs/super.c:329
deactivate_super+0x2bb/0x320 fs/super.c:360
cleanup_mnt+0xbf/0x160 fs/namespace.c:1098
__cleanup_mnt+0x16/0x20 fs/namespace.c:1105
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446689
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f621e979da8 EFLAGS: 0293 ORIG_RAX: 00a6
RAX: RBX: 006dbc28 RCX: 00446689
RDX: 00446689 RSI: 000a RDI: 2180
RBP: 006dbc20 R08: R09:
R10: R11: 0293 R12: 006dbc2c
R13: 0030656c69662f2e R14: 65646f6d746f6f72 R15:
Showing all locks held in the system:
1 lock held by khungtaskd/1009:
#0: 95618e4f (rcu_read_lock){}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4379
5 locks held by rsyslogd/5530:
#0: 28bad575 (>f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
#1: e31592cd (>lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1126 [inline]
#1: e31592cd (>lock){-.-.}, at: __schedule+0x236/0x21d0
kernel/sched/core.c:3410
#2: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
include/trace/events/sched.h:418 [inline]
#2: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
kernel/sched/fair.c:830
#3: e31592cd (>lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1126 [inline]
#3: e31592cd (>lock){-.-.}, at: ttwu_queue
kernel/sched/core.c:1845 [inline]
#3: e31592cd (>lock){-.-.}, at: try_to_wake_up+0x9f6/0x1490
kernel/sched/core.c:2057
#4: 95618e4f (rcu_read_lock){}, at: trace_sched_stat_runtime
include/trace/events/sched.h:418 [inline]
#4: 95618e4f (rcu_read_lock){}, at: update_curr+0x383/0xbd0
kernel/sched/fair.c:830
2 locks held by getty/5620:
#0: 492d5ad8 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 88c4d769 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5621:
#0: ed56cf3c (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: a8112d49 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5622:
#0: 858703c2 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: b20ff0f8 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5623:
#0: a0163126 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: cb4be99e (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5624:
#0: 6eab39a0 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 341e7ea5 (>atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1e80 drivers/tty/n_tty.c:2154
2 locks held by getty/5625:
#0: e1bb9e75 (>ldisc_sem){}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: e6c38e03 (>atomic_read_lock){+.+.}, at:
