Hello, When using fuzzer tool to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output: https://drive.google.com/file/d/1hHx0XqzeOIA6IZ-_nC_XviXb1nlt0bxI/view?usp=sharing Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing C reproducer: / Syzlang reproducer: / Unfortunately, we're getting a stable reproduction of the program. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <hu...@m.fudan.edu.cn> watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [syz-executor:1847] Modules linked in: irq event stamp: 176368 hardirqs last enabled at (176367): [<ffffffff9dace9fb>] irqentry_exit+0x3b/0x90 kernel/entry/common.c:357 hardirqs last disabled at (176368): [<ffffffff9daccfcf>] sysvec_apic_timer_interrupt+0xf/0xb0 arch/x86/kernel/apic/apic.c:1049 softirqs last enabled at (176360): [<ffffffff95b0f4d4>] softirq_handle_end kernel/softirq.c:407 [inline] softirqs last enabled at (176360): [<ffffffff95b0f4d4>] handle_softirqs+0x544/0x870 kernel/softirq.c:589 softirqs last disabled at (176351): [<ffffffff95b1117e>] __do_softirq kernel/softirq.c:595 [inline] softirqs last disabled at (176351): [<ffffffff95b1117e>] invoke_softirq kernel/softirq.c:435 [inline] softirqs last disabled at (176351): [<ffffffff95b1117e>] __irq_exit_rcu kernel/softirq.c:662 [inline] softirqs last disabled at (176351): [<ffffffff95b1117e>] irq_exit_rcu+0xee/0x140 kernel/softirq.c:678 CPU: 3 UID: 0 PID: 1847 Comm: syz-executor Not tainted 6.13.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:102 [inline] RIP: 0010:queued_spin_lock_slowpath+0xcb/0xc60 kernel/locking/qspinlock.c:324 Code: 00 00 00 49 01 c6 41 83 c5 03 be 04 00 00 00 48 89 df e8 98 61 76 f8 41 0f b6 06 41 38 c5 7c 08 84 c0 0f 85 f8 09 00 00 8b 03 <89> 44 24 48 85 c0 0f 85 6f 01 00 00 48 89 df be 04 00 00 00 e8 9c RSP: 0018:ffa000002f0a7748 EFLAGS: 00000246 RAX: 0000000000000001 RBX: ff1100006a241cc0 RCX: ffffffff9daf9078 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ff1100006a241cc0 RBP: ffa000002f0a7790 R08: fff3fc0005e14f08 R09: ffe21c000d448399 R10: ffe21c000d448398 R11: ff1100006a241cc3 R12: 0000000000000001 R13: 0000000000000003 R14: ffe21c000d448398 R15: 1ffffffff3f91377 FS: 0000555575f4fa00(0000) GS:ff1100006a380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdfa8d3f000 CR3: 0000000038ad2003 CR4: 0000000000771ef0 PKRU: 80000000 Call Trace: <IRQ> </IRQ> <TASK> queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x1de/0x290 kernel/locking/spinlock_debug.c:116 spin_lock include/linux/spinlock.h:351 [inline] drain_pages_zone+0xa3/0x160 mm/page_alloc.c:2394 drain_pages+0x58/0x80 mm/page_alloc.c:2415 __drain_all_pages+0x291/0x3b0 mm/page_alloc.c:2504 drain_all_pages mm/page_alloc.c:2517 [inline] __alloc_pages_direct_reclaim mm/page_alloc.c:3963 [inline] __alloc_pages_slowpath.constprop.0+0x624/0x2170 mm/page_alloc.c:4380 __alloc_pages_noprof+0x564/0x660 mm/page_alloc.c:4764 alloc_pages_mpol_noprof+0xf2/0x400 mm/mempolicy.c:2269 vm_area_alloc_pages mm/vmalloc.c:3589 [inline] __vmalloc_area_node mm/vmalloc.c:3667 [inline] __vmalloc_node_range_noprof+0x9c0/0x12c0 mm/vmalloc.c:3844 vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:3998 kcov_ioctl+0x4c/0x500 kernel/kcov.c:716 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6a97aa732b Code: 0f 92 c0 84 c0 75 b0 49 8d 3c 1c e8 1f 3f 03 00 85 c0 78 b1 48 83 c4 08 4c 89 e0 5b 41 5c c3 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd707a66e8 EFLAGS: 00000207 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f6a97aa732b RDX: 0000000000040000 RSI: ffffffff80086301 RDI: 00000000000000e0 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: 00007f6a97c6a6d8 R13: 0000000000000003 R14: 0000000000000002 R15: 00007ffd707a676c </TASK> Sending NMI from CPU 3 to CPUs 0-2: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:tasklet_action_common+0x7f/0x810 kernel/softirq.c:827 Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a8 06 00 00 48 89 6d 08 e8 ac ac 40 00 fb 48 bb 00 00 00 00 00 fc ff df <4c> 8b 6c 24 10 49 c1 ed 03 49 8d 44 1d 00 48 89 04 24 4d 85 ff 75 RSP: 0018:ffa00000001bfdc0 EFLAGS: 00000206 RAX: 000000001b406ed8 RBX: dffffc0000000000 RCX: 1ffffffff4437279 RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000 RBP: ff1100006a2a87a0 R08: 0000000000000001 R09: 0000000000000001 R10: fffffbfff44379c2 R11: ffffffffa21bce17 R12: 000000000003b18c R13: 0000000000000006 R14: 0000000000000006 R15: ff11000041ba15e8 FS: 0000000000000000(0000) GS:ff1100006a280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd8127e0090 CR3: 00000000350f0005 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: <NMI> </NMI> <TASK> handle_softirqs+0x1ad/0x870 kernel/softirq.c:561 run_ksoftirqd kernel/softirq.c:950 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:942 smpboot_thread_fn+0x669/0xa80 kernel/smpboot.c:164 kthread+0x345/0x450 kernel/kthread.c:389 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> NMI backtrace for cpu 2 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] NMI backtrace for cpu 2 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:106 [inline] NMI backtrace for cpu 2 skipped: idling at default_idle+0x1e/0x30 arch/x86/kernel/process.c:742 NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 1729 Comm: syz.3.13 Not tainted 6.13.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:get_current arch/x86/include/asm/current.h:49 [inline] RIP: 0010:__rcu_read_unlock+0xc6/0x570 kernel/rcu/tree_plugin.h:440 Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e bf 01 00 00 8b 85 00 04 00 00 85 c0 75 57 <65> 48 8b 1d 92 ae 32 6a 48 8d bb fc 03 00 00 48 b8 00 00 00 00 00 RSP: 0018:ffa0000000007e08 EFLAGS: 00000206 RAX: 0000000000000016 RBX: ff1100006a23d240 RCX: 1ffffffff501ee6b RDX: 0000000000000000 RSI: 0000000000000102 RDI: 0000000000000000 RBP: ffffffffa0326300 R08: 0000000000000001 R09: fffffbfff501ead5 R10: fffffbfff501ead4 R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000200 R14: ffa0000000007e00 R15: 1ff4000000000fc9 FS: 00007f4bda0d2700(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f880e276310 CR3: 000000004167e005 CR4: 0000000000771ef0 PKRU: 80000000 Call Trace: <NMI> </NMI> <IRQ> rcu_read_unlock include/linux/rcupdate.h:882 [inline] ieee80211_rx_napi+0x117/0x410 net/mac80211/rx.c:5493 ieee80211_rx include/net/mac80211.h:5166 [inline] ieee80211_handle_queued_frames+0xd9/0x130 net/mac80211/main.c:441 tasklet_action_common+0x279/0x810 kernel/softirq.c:811 handle_softirqs+0x1ad/0x870 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu kernel/softirq.c:662 [inline] irq_exit_rcu+0xee/0x140 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x94/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x1f4/0x580 kernel/locking/lockdep.c:5817 Code: 9a 24 3b 6a 83 f8 01 0f 85 00 03 00 00 9c 58 f6 c4 02 0f 85 eb 02 00 00 48 83 3c 24 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:ffa00000152ef590 EFLAGS: 00000206 RAX: dffffc0000000000 RBX: 1ff4000002a5deb5 RCX: 0000000000000001 RDX: 1fe22000005095af RSI: 0000000000000002 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000050 R09: fffffbfff501ead5 R10: fffffbfff501ead4 R11: ffffffffa80f56a7 R12: 0000000000000000 R13: ff1100006a241cd8 R14: 0000000000000001 R15: 0000000000000000 __raw_spin_trylock include/linux/spinlock_api_smp.h:90 [inline] _raw_spin_trylock+0x68/0x80 kernel/locking/spinlock.c:138 spin_trylock include/linux/spinlock.h:361 [inline] rmqueue_pcplist mm/page_alloc.c:3030 [inline] rmqueue mm/page_alloc.c:3074 [inline] get_page_from_freelist+0x4de/0x3800 mm/page_alloc.c:3471 __alloc_pages_noprof+0x2f0/0x660 mm/page_alloc.c:4751 alloc_pages_mpol_noprof+0xf2/0x400 mm/mempolicy.c:2269 folio_alloc_mpol_noprof+0x38/0xa0 mm/mempolicy.c:2287 shmem_alloc_folio+0x137/0x160 mm/shmem.c:1794 shmem_alloc_and_add_folio mm/shmem.c:1833 [inline] shmem_get_folio_gfp mm/shmem.c:2355 [inline] shmem_get_folio_gfp.isra.0+0x45e/0x13d0 mm/shmem.c:2255 shmem_get_folio mm/shmem.c:2461 [inline] shmem_write_begin+0x14f/0x2f0 mm/shmem.c:3117 generic_perform_write+0x290/0x850 mm/filemap.c:4055 shmem_file_write_iter+0x111/0x140 mm/shmem.c:3293 new_sync_write fs/read_write.c:586 [inline] vfs_write fs/read_write.c:679 [inline] vfs_write+0xb9b/0x10f0 fs/read_write.c:659 ksys_write+0x122/0x240 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4bdb3f018f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2d 44 89 c7 48 89 44 24 08 e8 cc fd ff ff 48 RSP: 002b:00007f4bda0d1940 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f4bdb3f018f RDX: 0000000001000000 RSI: 00007f4bd1cb2000 RDI: 0000000000000009 RBP: 00007f4bd1cb2000 R08: 0000000000000000 R09: 00000000000046db R10: 00000000000046db R11: 0000000000000293 R12: 0000000000000000 R13: 00007f4bda0d1a0c R14: 00007f4bda0d1a10 R15: 00000000200047c2 </TASK> --------------- thanks, Kun Hu
