Re: INFO: task hung in blk_freeze_queue
A patch for this specific report is ready. I don't know whether other
"dup" reports will be solved by this patch. Thus, I "undup" this report.
#syz undup
>From eed54c6ae475860a9c63b37b58f34735e792eef7 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa
Date: Sat, 5 May 2018 12:59:12 +0900
Subject: [PATCH] block/loop: Add recursion check for LOOP_CHANGE_FD request.
syzbot is reporting hung tasks at blk_freeze_queue() [1]. This is
due to ioctl(loop_fd, LOOP_CHANGE_FD, loop_fd) request which should be
rejected. Fix this by adding same recursion check which is used by
LOOP_SET_FD request.
Signed-off-by: Tetsuo Handa
Reported-by: syzbot
Cc: Jens Axboe
---
drivers/block/loop.c | 59
1 file changed, 37 insertions(+), 22 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 5d4e316..cee3c01 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -644,6 +644,34 @@ static void loop_reread_partitions(struct loop_device *lo,
__func__, lo->lo_number, lo->lo_file_name, rc);
}
+static inline int is_loop_device(struct file *file)
+{
+ struct inode *i = file->f_mapping->host;
+
+ return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
+}
+
+static int check_loop_recursion(struct file *f, struct block_device *bdev)
+{
+ /*
+* FIXME: Traversing on other loop devices without corresponding
+* lo_ctl_mutex is not safe. l->lo_state can become Lo_rundown and
+* l->lo_backing_file can become NULL when raced with LOOP_CLR_FD.
+*/
+ while (is_loop_device(f)) {
+ struct loop_device *l;
+
+ if (f->f_mapping->host->i_bdev == bdev)
+ return -EBUSY;
+
+ l = f->f_mapping->host->i_bdev->bd_disk->private_data;
+ if (l->lo_state == Lo_unbound)
+ return -EINVAL;
+ f = l->lo_backing_file;
+ }
+ return 0;
+}
+
/*
* loop_change_fd switched the backing store of a loopback device to
* a new file. This is useful for operating system installers to free up
@@ -673,6 +701,11 @@ static int loop_change_fd(struct loop_device *lo, struct
block_device *bdev,
if (!file)
goto out;
+ /* Avoid recursion */
+ error = check_loop_recursion(file, bdev);
+ if (error)
+ goto out_putf;
+
inode = file->f_mapping->host;
old_file = lo->lo_backing_file;
@@ -706,13 +739,6 @@ static int loop_change_fd(struct loop_device *lo, struct
block_device *bdev,
return error;
}
-static inline int is_loop_device(struct file *file)
-{
- struct inode *i = file->f_mapping->host;
-
- return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
-}
-
/* loop sysfs attributes */
static ssize_t loop_attr_show(struct device *dev, char *page,
@@ -877,7 +903,7 @@ static int loop_prepare_queue(struct loop_device *lo)
static int loop_set_fd(struct loop_device *lo, fmode_t mode,
struct block_device *bdev, unsigned int arg)
{
- struct file *file, *f;
+ struct file *file;
struct inode*inode;
struct address_space *mapping;
int lo_flags = 0;
@@ -897,20 +923,9 @@ static int loop_set_fd(struct loop_device *lo, fmode_t
mode,
goto out_putf;
/* Avoid recursion */
- f = file;
- while (is_loop_device(f)) {
- struct loop_device *l;
-
- if (f->f_mapping->host->i_bdev == bdev)
- goto out_putf;
-
- l = f->f_mapping->host->i_bdev->bd_disk->private_data;
- if (l->lo_state == Lo_unbound) {
- error = -EINVAL;
- goto out_putf;
- }
- f = l->lo_backing_file;
- }
+ error = check_loop_recursion(file, bdev);
+ if (error)
+ goto out_putf;
mapping = file->f_mapping;
inode = mapping->host;
--
1.8.3.1
Re: INFO: task hung in blk_freeze_queue
syzbot has found a reproducer for the following crash on:
HEAD commit:cdface520934 Merge tag 'for_linus_stable' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136c8ee780
kernel config: https://syzkaller.appspot.com/x/.config?x=61c12b53c2a25ec4
dashboard link: https://syzkaller.appspot.com/bug?extid=2ab52b8d94df5e2eaa01
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15afa24780
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f0771780
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2ab52b8d94df5e2ea...@syzkaller.appspotmail.com
INFO: task syz-executor148:4500 blocked for more than 120 seconds.
Not tainted 4.17.0-rc2+ #23
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor148 D16648 4500 4481 0x
Call Trace:
context_switch kernel/sched/core.c:2848 [inline]
__schedule+0x801/0x1e30 kernel/sched/core.c:3490
schedule+0xef/0x430 kernel/sched/core.c:3549
blk_mq_freeze_queue_wait+0x1ce/0x460 block/blk-mq.c:136
blk_freeze_queue+0x4a/0x80 block/blk-mq.c:165
blk_mq_freeze_queue+0x15/0x20 block/blk-mq.c:174
loop_clr_fd+0x226/0xb80 drivers/block/loop.c:1047
lo_ioctl+0x642/0x2130 drivers/block/loop.c:1404
__blkdev_driver_ioctl block/ioctl.c:303 [inline]
blkdev_ioctl+0x9b6/0x2020 block/ioctl.c:601
block_ioctl+0xee/0x130 fs/block_dev.c:1877
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
__do_sys_ioctl fs/ioctl.c:708 [inline]
__se_sys_ioctl fs/ioctl.c:706 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x449789
RSP: 002b:7f210fae5da8 EFLAGS: 0297 ORIG_RAX: 0010
RAX: ffda RBX: 006dac3c RCX: 00449789
RDX: 00449789 RSI: 4c01 RDI: 0003
RBP: R08: R09:
R10: R11: 0297 R12: 006dac38
R13: 0030656c69662f2e R14: 6f6f6c2f7665642f R15: 0007
Showing all locks held in the system:
2 locks held by khungtaskd/893:
#0: 45f40930 (rcu_read_lock){}, at:
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
#0: 45f40930 (rcu_read_lock){}, at: watchdog+0x1ff/0xf60
kernel/hung_task.c:249
#1: 81898718 (tasklist_lock){.+.+}, at:
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
1 lock held by rsyslogd/4362:
#0: 2e322c73 (&f->f_pos_lock){+.+.}, at: __run_timers+0x16e/0xc50
kernel/time/timer.c:1658
2 locks held by getty/4452:
#0: 3abe4bd2 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 35e35fb8 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4453:
#0: 4e78faf9 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 44d079f2 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4454:
#0: 37bf7fca (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: fc65c2e0 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4455:
#0: 650b41ff (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: f8a69a89 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4456:
#0: 33547e18 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0c85318d (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4457:
#0: e5cb3908 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 9fc1aed4 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4458:
#0: 55360c24 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 2bcd4fa8 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
1 lock held by syz-executor148/4486:
#0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130
drivers/block/loop.c:1391
1 lock held by syz-executor148/4500:
#0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130
drivers/block/loop.c:1391
1 lock held by syz-executor148/4514:
#0: bf14345a (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x2130
drivers/block/loop.c:1391
1 lock held by syz-
Re: INFO: task hung in blk_freeze_queue
On Wed, Feb 7, 2018 at 8:46 AM, syzbot
wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> e237f98a9c134c3d600353f21e07db915516875b (Mon Feb 5 21:35:56 2018 +)
> Merge tag 'xfs-4.16-merge-5' of
> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
>
> So far this crash happened 2 times on upstream.
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386
Looks similar to this one:
#syz dup: INFO: task hung in lo_ioctl
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2ab52b8d94df5e2ea...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> Buffer I/O error on dev loop0, logical block 0, lost async page write
> INFO: task syz-executor1:14117 blocked for more than 120 seconds.
> Not tainted 4.15.0+ #210
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> syz-executor1 D26432 14117 4227 0x20020004
> Call Trace:
> context_switch kernel/sched/core.c:2845 [inline]
> __schedule+0x8eb/0x2060 kernel/sched/core.c:3421
> schedule+0xf5/0x430 kernel/sched/core.c:3480
> blk_mq_freeze_queue_wait+0x1bb/0x400 block/blk-mq.c:136
> blk_freeze_queue+0x4a/0x80 block/blk-mq.c:165
> blk_mq_freeze_queue+0x15/0x20 block/blk-mq.c:174
> loop_change_fd drivers/block/loop.c:667 [inline]
> lo_ioctl+0x10ce/0x1b70 drivers/block/loop.c:1361
> lo_compat_ioctl+0xab/0x140 drivers/block/loop.c:1556
> compat_blkdev_ioctl+0x3ae/0x1840 block/compat_ioctl.c:406
> C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
> compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
> do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
> do_fast_syscall_32+0x3ee/0xfa1 arch/x86/entry/common.c:392
> entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
> RIP: 0023:0xf7f44c79
> RSP: 002b:f774008c EFLAGS: 0296 ORIG_RAX: 0036
> RAX: ffda RBX: 0013 RCX: 4c06
> RDX: 0013 RSI: RDI:
> RBP: R08: R09:
> R10: R11: R12:
> R13: R14: R15:
>
> Showing all locks held in the system:
> 2 locks held by khungtaskd/759:
> #0: (rcu_read_lock){}, at: []
> check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
> #0: (rcu_read_lock){}, at: [] watchdog+0x1c5/0xd60
> kernel/hung_task.c:249
> #1: (tasklist_lock){.+.+}, at: [<440cd9e2>]
> debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
> 1 lock held by rsyslogd/4029:
> #0: (&f->f_pos_lock){+.+.}, at: [<7729bd98>]
> __fdget_pos+0x12b/0x190 fs/file.c:765
> 2 locks held by getty/4151:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4152:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4153:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4154:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4155:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4156:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4157:
> #0: (&tty->ldisc_sem){}, at: [<903280c4>]
> ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
> #1: (&ldata->atomic_read_lock){+.+.}, at: []
> n_tty_read+0x2ef/0x1a00 drivers/tty/n_tty.c:2131
> 1 lock held by syz-executor1/14117:
> #0: (&lo->lo_ctl_mutex/1){+.+.}, at: []
> lo_ioctl+0x8b/0x1b70 drivers/block/loop.c:1355
>
>
