Re: INFO: task hung in blk_freeze_queue
A patch for this specific report is ready. I don't know whether other "dup" reports will be solved by this patch. Thus, I "undup" this report. #syz undup >From eed54c6ae475860a9c63b37b58f34735e792eef7 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sat, 5 May 2018 12:59:12 +0900 Subject: [PATCH] block/loop: Add recursion check for LOOP_CHANGE_FD request. syzbot is reporting hung tasks at blk_freeze_queue() [1]. This is due to ioctl(loop_fd, LOOP_CHANGE_FD, loop_fd) request which should be rejected. Fix this by adding same recursion check which is used by LOOP_SET_FD request. Signed-off-by: Tetsuo Handa Reported-by: syzbot Cc: Jens Axboe --- drivers/block/loop.c | 59 1 file changed, 37 insertions(+), 22 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 5d4e316..cee3c01 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -644,6 +644,34 @@ static void loop_reread_partitions(struct loop_device *lo, __func__, lo->lo_number, lo->lo_file_name, rc); } +static inline int is_loop_device(struct file *file) +{ + struct inode *i = file->f_mapping->host; + + return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; +} + +static int check_loop_recursion(struct file *f, struct block_device *bdev) +{ + /* +* FIXME: Traversing on other loop devices without corresponding +* lo_ctl_mutex is not safe. l->lo_state can become Lo_rundown and +* l->lo_backing_file can become NULL when raced with LOOP_CLR_FD. +*/ + while (is_loop_device(f)) { + struct loop_device *l; + + if (f->f_mapping->host->i_bdev == bdev) + return -EBUSY; + + l = f->f_mapping->host->i_bdev->bd_disk->private_data; + if (l->lo_state == Lo_unbound) + return -EINVAL; + f = l->lo_backing_file; + } + return 0; +} + /* * loop_change_fd switched the backing store of a loopback device to * a new file. This is useful for operating system installers to free up @@ -673,6 +701,11 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev, if (!file) goto out; + /* Avoid recursion */ + error = check_loop_recursion(file, bdev); + if (error) + goto out_putf; + inode = file->f_mapping->host; old_file = lo->lo_backing_file; @@ -706,13 +739,6 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev, return error; } -static inline int is_loop_device(struct file *file) -{ - struct inode *i = file->f_mapping->host; - - return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; -} - /* loop sysfs attributes */ static ssize_t loop_attr_show(struct device *dev, char *page, @@ -877,7 +903,7 @@ static int loop_prepare_queue(struct loop_device *lo) static int loop_set_fd(struct loop_device *lo, fmode_t mode, struct block_device *bdev, unsigned int arg) { - struct file *file, *f; + struct file *file; struct inode*inode; struct address_space *mapping; int lo_flags = 0; @@ -897,20 +923,9 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, goto out_putf; /* Avoid recursion */ - f = file; - while (is_loop_device(f)) { - struct loop_device *l; - - if (f->f_mapping->host->i_bdev == bdev) - goto out_putf; - - l = f->f_mapping->host->i_bdev->bd_disk->private_data; - if (l->lo_state == Lo_unbound) { - error = -EINVAL; - goto out_putf; - } - f = l->lo_backing_file; - } + error = check_loop_recursion(file, bdev); + if (error) + goto out_putf; mapping = file->f_mapping; inode = mapping->host; -- 1.8.3.1
Re: INFO: task hung in blk_freeze_queue
syzbot has found a reproducer for the following crash on: HEAD commit:cdface520934 Merge tag 'for_linus_stable' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=136c8ee780 kernel config: https://syzkaller.appspot.com/x/.config?x=61c12b53c2a25ec4 dashboard link: https://syzkaller.appspot.com/bug?extid=2ab52b8d94df5e2eaa01 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15afa24780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f0771780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2ab52b8d94df5e2ea...@syzkaller.appspotmail.com INFO: task syz-executor148:4500 blocked for more than 120 seconds. Not tainted 4.17.0-rc2+ #23 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor148 D16648 4500 4481 0x Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 blk_mq_freeze_queue_wait+0x1ce/0x460 block/blk-mq.c:136 blk_freeze_queue+0x4a/0x80 block/blk-mq.c:165 blk_mq_freeze_queue+0x15/0x20 block/blk-mq.c:174 loop_clr_fd+0x226/0xb80 drivers/block/loop.c:1047 lo_ioctl+0x642/0x2130 drivers/block/loop.c:1404 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0x9b6/0x2020 block/ioctl.c:601 block_ioctl+0xee/0x130 fs/block_dev.c:1877 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x449789 RSP: 002b:7f210fae5da8 EFLAGS: 0297 ORIG_RAX: 0010 RAX: ffda RBX: 006dac3c RCX: 00449789 RDX: 00449789 RSI: 4c01 RDI: 0003 RBP: R08: R09: R10: R11: 0297 R12: 006dac38 R13: 0030656c69662f2e R14: 6f6f6c2f7665642f R15: 0007 Showing all locks held in the system: 2 locks held by khungtaskd/893: #0: 45f40930 (rcu_read_lock){}, at: check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: 45f40930 (rcu_read_lock){}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249 #1: 81898718 (tasklist_lock){.+.+}, at: debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470 1 lock held by rsyslogd/4362: #0: 2e322c73 (&f->f_pos_lock){+.+.}, at: __run_timers+0x16e/0xc50 kernel/time/timer.c:1658 2 locks held by getty/4452: #0: 3abe4bd2 (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 35e35fb8 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4453: #0: 4e78faf9 (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 44d079f2 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4454: #0: 37bf7fca (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: fc65c2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4455: #0: 650b41ff (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: f8a69a89 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4456: #0: 33547e18 (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 0c85318d (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4457: #0: e5cb3908 (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 9fc1aed4 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4458: #0: 55360c24 (&tty->ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 2bcd4fa8 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 1 lock held by syz-executor148/4486: #0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130 drivers/block/loop.c:1391 1 lock held by syz-executor148/4500: #0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130 drivers/block/loop.c:1391 1 lock held by syz-executor148/4514: #0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130 drivers/block/loop.c:1391 1 lock held by syz-
Re: INFO: task hung in blk_freeze_queue
On Wed, Feb 7, 2018 at 8:46 AM, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > e237f98a9c134c3d600353f21e07db915516875b (Mon Feb 5 21:35:56 2018 +) > Merge tag 'xfs-4.16-merge-5' of > git://git.kernel.org/pub/scm/fs/xfs/xfs-linux > > So far this crash happened 2 times on upstream. > Unfortunately, I don't have any reproducer for this crash yet. > Raw console output is attached. > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached. > user-space arch: i386 Looks similar to this one: #syz dup: INFO: task hung in lo_ioctl > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+2ab52b8d94df5e2ea...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > Buffer I/O error on dev loop0, logical block 0, lost async page write > INFO: task syz-executor1:14117 blocked for more than 120 seconds. > Not tainted 4.15.0+ #210 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > syz-executor1 D26432 14117 4227 0x20020004 > Call Trace: > context_switch kernel/sched/core.c:2845 [inline] > __schedule+0x8eb/0x2060 kernel/sched/core.c:3421 > schedule+0xf5/0x430 kernel/sched/core.c:3480 > blk_mq_freeze_queue_wait+0x1bb/0x400 block/blk-mq.c:136 > blk_freeze_queue+0x4a/0x80 block/blk-mq.c:165 > blk_mq_freeze_queue+0x15/0x20 block/blk-mq.c:174 > loop_change_fd drivers/block/loop.c:667 [inline] > lo_ioctl+0x10ce/0x1b70 drivers/block/loop.c:1361 > lo_compat_ioctl+0xab/0x140 drivers/block/loop.c:1556 > compat_blkdev_ioctl+0x3ae/0x1840 block/compat_ioctl.c:406 > C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline] > compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419 > do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] > do_fast_syscall_32+0x3ee/0xfa1 arch/x86/entry/common.c:392 > entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 > RIP: 0023:0xf7f44c79 > RSP: 002b:f774008c EFLAGS: 0296 ORIG_RAX: 0036 > RAX: ffda RBX: 0013 RCX: 4c06 > RDX: 0013 RSI: RDI: > RBP: R08: R09: > R10: R11: R12: > R13: R14: R15: > > Showing all locks held in the system: > 2 locks held by khungtaskd/759: > #0: (rcu_read_lock){}, at: [] > check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] > #0: (rcu_read_lock){}, at: [ ] watchdog+0x1c5/0xd60 > kernel/hung_task.c:249 > #1: (tasklist_lock){.+.+}, at: [<440cd9e2>] > debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470 > 1 lock held by rsyslogd/4029: > #0: (&f->f_pos_lock){+.+.}, at: [<7729bd98>] > __fdget_pos+0x12b/0x190 fs/file.c:765 > 2 locks held by getty/4151: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4152: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4153: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4154: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4155: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4156: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 2 locks held by getty/4157: > #0: (&tty->ldisc_sem){}, at: [<903280c4>] > ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 > #1: (&ldata->atomic_read_lock){+.+.}, at: [ ] > n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131 > 1 lock held by syz-executor1/14117: > #0: (&lo->lo_ctl_mutex/1){+.+.}, at: [ ] > lo_ioctl+0x8b/0x1b70 drivers/block/loop.c:1355 > >