EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2245
in_atomic(): 1, irqs_disabled(): 1, pid: 9996, name: syz-executor.5
3 locks held by syz-executor.5/9996:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff8355d3b2>] tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:284
#1: (&(&gsm->control_lock)->rlock){....}, at: [<ffffffff83573d26>] gsm_control_send+0xf6/0x480 drivers/tty/n_gsm.c:1434
#2: (&(&gsm->tx_lock)->rlock){....}, at: [<ffffffff83573b51>] gsm_data_queue drivers/tty/n_gsm.c:845 [inline]
#2: (&(&gsm->tx_lock)->rlock){....}, at: [<ffffffff83573b51>] gsm_control_transmit+0x1f1/0x2d0 drivers/tty/n_gsm.c:1375
irq event stamp: 48
hardirqs last enabled at (47): [<ffffffff8724fcb9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (47): [<ffffffff8724fcb9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (48): [<ffffffff8724f946>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (48): [<ffffffff8724f946>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (0): [<ffffffff81305bb0>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 0 PID: 9996 Comm: syz-executor.5 Not tainted 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6040
do_con_write+0xd0/0x19b0 drivers/tty/vt/vt.c:2245
con_write+0x21/0xa0 drivers/tty/vt/vt.c:2822
gsmld_output+0xc3/0x190 drivers/tty/n_gsm.c:2312
gsm_data_kick+0x266/0x9b0 drivers/tty/n_gsm.c:761
gsm_data_queue drivers/tty/n_gsm.c:846 [inline]
gsm_control_transmit+0x1ff/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f38de4ad0f9
RSP: 002b:00007f38dc9fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38de5cd050 RCX: 00007f38de4ad0f9
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000003
RBP: 00007f38de508ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc0d7b9a5f R14: 00007f38dc9fe300 R15: 0000000000022000
========================================================
WARNING: possible irq lock inversion dependency detected
4.14.307-syzkaller #0 Tainted: G W
--------------------------------------------------------
systemd-udevd/10040 just changed the state of lock:
(&(&gsm->control_lock)->rlock){..-.}, at: [<ffffffff835747a5>] gsm_control_retransmit+0x25/0x2c0 drivers/tty/n_gsm.c:1394
but this lock took another, SOFTIRQ-unsafe lock in the past:
(console_lock){+.+.}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&(&gsm->control_lock)->rlock --> &(&gsm->tx_lock)->rlock --> console_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(console_lock);
local_irq_disable();
lock(&(&gsm->control_lock)->rlock);
lock(&(&gsm->tx_lock)->rlock);
<Interrupt>
lock(&(&gsm->control_lock)->rlock);
*** DEADLOCK ***
3 locks held by systemd-udevd/10040:
#0: (sb_writers){.+.+}, at: [<ffffffff818e203a>] sb_start_write include/linux/fs.h:1551 [inline]
#0: (sb_writers){.+.+}, at: [<ffffffff818e203a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386
#1: (&type->i_mutex_dir_key/1){+.+.}, at: [<ffffffff818a990a>] inode_lock_nested include/linux/fs.h:754 [inline]
#1: (&type->i_mutex_dir_key/1){+.+.}, at: [<ffffffff818a990a>] filename_create+0x12a/0x3f0 fs/namei.c:3676
#2: (((&gsm->t2_timer))){+.-.}, at: [<ffffffff814871a8>] lockdep_copy_map include/linux/lockdep.h:174 [inline]
#2: (((&gsm->t2_timer))){+.-.}, at: [<ffffffff814871a8>] call_timer_fn+0xb8/0x650 kernel/time/timer.c:1270
the shortest dependencies between 2nd lock and 1st lock:
-> (console_lock){+.+.} ops: 4157 {
HARDIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
console_lock+0x42/0x70 kernel/printk/printk.c:2228
con_init+0x12/0x5d6 drivers/tty/vt/vt.c:3022
console_init+0x46/0x53 kernel/printk/printk.c:2809
start_kernel+0x521/0x763 init/main.c:638
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240
SOFTIRQ-ON-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
console_lock+0x42/0x70 kernel/printk/printk.c:2228
con_init+0x12/0x5d6 drivers/tty/vt/vt.c:3022
console_init+0x46/0x53 kernel/printk/printk.c:2809
start_kernel+0x521/0x763 init/main.c:638
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240
INITIAL USE at:
}
... key at: [<ffffffff88f6fb60>] console_lock_dep_map+0x0/0x40
... acquired at:
console_lock+0x42/0x70 kernel/printk/printk.c:2228
do_con_write+0xd5/0x19b0 drivers/tty/vt/vt.c:2247
con_write+0x21/0xa0 drivers/tty/vt/vt.c:2822
gsmld_output+0xc3/0x190 drivers/tty/n_gsm.c:2312
gsm_data_kick+0x266/0x9b0 drivers/tty/n_gsm.c:761
gsm_data_queue drivers/tty/n_gsm.c:846 [inline]
gsm_control_transmit+0x1ff/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> (&(&gsm->tx_lock)->rlock){....} ops: 1 {
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_data_queue drivers/tty/n_gsm.c:845 [inline]
gsm_control_transmit+0x1f1/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
}
... key at: [<ffffffff8c8d54e0>] __key.4+0x0/0x40
... acquired at:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_data_queue drivers/tty/n_gsm.c:845 [inline]
gsm_control_transmit+0x1f1/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> (&(&gsm->control_lock)->rlock){..-.} ops: 2 {
IN-SOFTIRQ-W at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_control_retransmit+0x25/0x2c0 drivers/tty/n_gsm.c:1394
call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280
expire_timers+0x232/0x4d0 kernel/time/timer.c:1319
__run_timers kernel/time/timer.c:1637 [inline]
run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650
__do_softirq+0x24d/0x9ff kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:796
deref_stack_reg arch/x86/kernel/unwind_orc.c:289 [inline]
deref_stack_reg+0x119/0x1a0 arch/x86/kernel/unwind_orc.c:283
unwind_next_frame+0xc98/0x17d0 arch/x86/kernel/unwind_orc.c:425
__unwind_start+0x594/0x930 arch/x86/kernel/unwind_orc.c:583
unwind_start arch/x86/include/asm/unwind.h:60 [inline]
__save_stack_trace+0x63/0x160 arch/x86/kernel/stacktrace.c:43
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc_track_caller+0x13f/0x400 mm/slab.c:3735
kmemdup+0x23/0x50 mm/util.c:119
kmemdup include/linux/string.h:449 [inline]
shmem_symlink+0x13f/0x6b0 mm/shmem.c:3294
vfs_symlink+0x3ce/0x620 fs/namei.c:4158
SYSC_symlinkat fs/namei.c:4185 [inline]
SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
INITIAL USE at:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_control_send+0xf6/0x480 drivers/tty/n_gsm.c:1434
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
}
... key at: [<ffffffff8c8d5520>] __key.5+0x0/0x40
... acquired at:
mark_lock_irq kernel/locking/lockdep.c:2804 [inline]
mark_lock+0x3c7/0x1050 kernel/locking/lockdep.c:3194
mark_irqflags kernel/locking/lockdep.c:3072 [inline]
__lock_acquire+0xc81/0x3f20 kernel/locking/lockdep.c:3448
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_control_retransmit+0x25/0x2c0 drivers/tty/n_gsm.c:1394
call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280
expire_timers+0x232/0x4d0 kernel/time/timer.c:1319
__run_timers kernel/time/timer.c:1637 [inline]
run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650
__do_softirq+0x24d/0x9ff kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:796
deref_stack_reg arch/x86/kernel/unwind_orc.c:289 [inline]
deref_stack_reg+0x119/0x1a0 arch/x86/kernel/unwind_orc.c:283
unwind_next_frame+0xc98/0x17d0 arch/x86/kernel/unwind_orc.c:425
__unwind_start+0x594/0x930 arch/x86/kernel/unwind_orc.c:583
unwind_start arch/x86/include/asm/unwind.h:60 [inline]
__save_stack_trace+0x63/0x160 arch/x86/kernel/stacktrace.c:43
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc_track_caller+0x13f/0x400 mm/slab.c:3735
kmemdup+0x23/0x50 mm/util.c:119
kmemdup include/linux/string.h:449 [inline]
shmem_symlink+0x13f/0x6b0 mm/shmem.c:3294
vfs_symlink+0x3ce/0x620 fs/namei.c:4158
SYSC_symlinkat fs/namei.c:4185 [inline]
SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
stack backtrace:
CPU: 0 PID: 10040 Comm: systemd-udevd Tainted: G W 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_irq_inversion_bug.cold+0x313/0x346 kernel/locking/lockdep.c:2670
check_usage_forwards+0x18f/0x2d0 kernel/locking/lockdep.c:2695
mark_lock_irq kernel/locking/lockdep.c:2804 [inline]
mark_lock+0x3c7/0x1050 kernel/locking/lockdep.c:3194
mark_irqflags kernel/locking/lockdep.c:3072 [inline]
__lock_acquire+0xc81/0x3f20 kernel/locking/lockdep.c:3448
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160
gsm_control_retransmit+0x25/0x2c0 drivers/tty/n_gsm.c:1394
call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280
expire_timers+0x232/0x4d0 kernel/time/timer.c:1319
__run_timers kernel/time/timer.c:1637 [inline]
run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650
__do_softirq+0x24d/0x9ff kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x193/0x240 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:796
</IRQ>
RIP: 0010:deref_stack_reg arch/x86/kernel/unwind_orc.c:289 [inline]
RIP: 0010:deref_stack_reg+0x119/0x1a0 arch/x86/kernel/unwind_orc.c:283
RSP: 0018:ffff88805d3c7880 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff10
RAX: ffff88805d3c8000 RBX: 1ffff1100ba78f11 RCX: ffffffff8a69d228
RDX: ffff88805d3c7ad0 RSI: ffff88805d3c78a8 RDI: ffff88805d3c7a60
RBP: ffff88805d3c7ac8 R08: ffffffff8a69d22c R09: ffffffff8a69d22d
R10: 00000000000073cc R11: 0000000000000001 R12: ffff88805d3c7a50
R13: ffff88805d3c7a98 R14: ffff88805d3c0000 R15: ffff88805d3c7a50
unwind_next_frame+0xc98/0x17d0 arch/x86/kernel/unwind_orc.c:425
__unwind_start+0x594/0x930 arch/x86/kernel/unwind_orc.c:583
unwind_start arch/x86/include/asm/unwind.h:60 [inline]
__save_stack_trace+0x63/0x160 arch/x86/kernel/stacktrace.c:43
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc mm/slab.c:3390 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc_track_caller+0x13f/0x400 mm/slab.c:3735
kmemdup+0x23/0x50 mm/util.c:119
kmemdup include/linux/string.h:449 [inline]
shmem_symlink+0x13f/0x6b0 mm/shmem.c:3294
vfs_symlink+0x3ce/0x620 fs/namei.c:4158
SYSC_symlinkat fs/namei.c:4185 [inline]
SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f1a01dc0027
RSP: 002b:00007ffc9be16e78 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007ffc9be17910 RCX: 00007f1a01dc0027
RDX: 0000000000000000 RSI: 00007ffc9be17910 RDI: 00007ffc9be16f30
RBP: 00000000ffffffff R08: 000000000000fcff R09: 0000000000000010
R10: 00007ffc9be17900 R11: 0000000000000202 R12: 00007ffc9be16f30
R13: 0000559d8cd05c00 R14: 0000559d8b22e1d0 R15: 00007ffc9be17921
EXT4-fs (loop0): mounted filesystem without journal. Opts: noquota,abort,nouid32,nombcache,,errors=continue
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2245
in_atomic(): 1, irqs_disabled(): 1, pid: 10200, name: syz-executor.5
INFO: lockdep is turned off.
irq event stamp: 0
hardirqs last enabled at (0): [< (null)>] (null)
hardirqs last disabled at (0): [<ffffffff81305b09>] copy_process.part.0+0x1229/0x71c0 kernel/fork.c:1731
softirqs last enabled at (0): [<ffffffff81305bb0>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 10200 Comm: syz-executor.5 Tainted: G W 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6040
do_con_write+0xd0/0x19b0 drivers/tty/vt/vt.c:2245
con_write+0x21/0xa0 drivers/tty/vt/vt.c:2822
gsmld_output+0xc3/0x190 drivers/tty/n_gsm.c:2312
gsm_data_kick+0x266/0x9b0 drivers/tty/n_gsm.c:761
gsm_data_queue drivers/tty/n_gsm.c:846 [inline]
gsm_control_transmit+0x1ff/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f38de4ad0f9
RSP: 002b:00007f38dc9fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38de5cd050 RCX: 00007f38de4ad0f9
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000003
RBP: 00007f38de508ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc0d7b9a5f R14: 00007f38dc9fe300 R15: 0000000000022000
ubi0: attaching mtd0
ubi0: scanning is finished
ubi0: empty MTD device detected
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1544840565
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: detaching mtd0
ubi0: background thread "ubi_bgt0d" started, PID 10277
ubi0: mtd0 is detached
IPVS: ftp: loaded support on port[0] = 21
EXT4-fs (loop0): mounted filesystem without journal. Opts: noquota,abort,nouid32,nombcache,,errors=continue
ubi0: attaching mtd0
ubi0: scanning is finished
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1544840565
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: detaching mtd0
ubi0: mtd0 is detached
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2245
in_atomic(): 1, irqs_disabled(): 1, pid: 10405, name: syz-executor.5
INFO: lockdep is turned off.
irq event stamp: 0
hardirqs last enabled at (0): [< (null)>] (null)
hardirqs last disabled at (0): [<ffffffff81305b09>] copy_process.part.0+0x1229/0x71c0 kernel/fork.c:1731
softirqs last enabled at (0): [<ffffffff81305bb0>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 0 PID: 10405 Comm: syz-executor.5 Tainted: G W 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6040
do_con_write+0xd0/0x19b0 drivers/tty/vt/vt.c:2245
con_write+0x21/0xa0 drivers/tty/vt/vt.c:2822
gsmld_output+0xc3/0x190 drivers/tty/n_gsm.c:2312
gsm_data_kick+0x266/0x9b0 drivers/tty/n_gsm.c:761
gsm_data_queue drivers/tty/n_gsm.c:846 [inline]
gsm_control_transmit+0x1ff/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f38de4ad0f9
RSP: 002b:00007f38dc9fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38de5cd050 RCX: 00007f38de4ad0f9
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000003
RBP: 00007f38de508ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc0d7b9a5f R14: 00007f38dc9fe300 R15: 0000000000022000
ubi0: attaching mtd0
ubi0: scanning is finished
EXT4-fs (loop0): mounted filesystem without journal. Opts: noquota,abort,nouid32,nombcache,,errors=continue
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1544840565
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: detaching mtd0
ubi0: mtd0 is detached
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
EXT4-fs error (device loop0): ext4_xattr_block_get:533: inode #15: comm syz-executor.0: corrupted xattr block 33
ubi0: attaching mtd0
ubi0: scanning is finished
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2245
in_atomic(): 1, irqs_disabled(): 1, pid: 10631, name: syz-executor.5
INFO: lockdep is turned off.
irq event stamp: 0
hardirqs last enabled at (0): [< (null)>] (null)
hardirqs last disabled at (0): [<ffffffff81305b09>] copy_process.part.0+0x1229/0x71c0 kernel/fork.c:1731
softirqs last enabled at (0): [<ffffffff81305bb0>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 10631 Comm: syz-executor.5 Tainted: G W 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6040
do_con_write+0xd0/0x19b0 drivers/tty/vt/vt.c:2245
con_write+0x21/0xa0 drivers/tty/vt/vt.c:2822
gsmld_output+0xc3/0x190 drivers/tty/n_gsm.c:2312
gsm_data_kick+0x266/0x9b0 drivers/tty/n_gsm.c:761
gsm_data_queue drivers/tty/n_gsm.c:846 [inline]
gsm_control_transmit+0x1ff/0x2d0 drivers/tty/n_gsm.c:1375
gsm_control_send+0x38a/0x480 drivers/tty/n_gsm.c:1451
gsm_disconnect drivers/tty/n_gsm.c:2110 [inline]
gsmld_config.constprop.0+0x568/0xf90 drivers/tty/n_gsm.c:2636
gsmld_ioctl+0x375/0x410 drivers/tty/n_gsm.c:2700
tty_ioctl+0x5af/0x1430 drivers/tty/tty_io.c:2670
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f38de4ad0f9
RSP: 002b:00007f38dc9fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38de5cd050 RCX: 00007f38de4ad0f9
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000003
RBP: 00007f38de508ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc0d7b9a5f R14: 00007f38dc9fe300 R15: 0000000000022000
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1544840565
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: background thread "ubi_bgt0d" started, PID 10696
ubi0: detaching mtd0
ubi0: mtd0 is detached