net/irda: BUG: looking up invalid subclass: 4294967295
From: Dmitry Vyukov
Date: Thu Feb 04 2016 - 04:14:47 EST
Hello,
I am hitting the following BUGs while running syzkaller fuzzer:
BUG: looking up invalid subclass: 4294967295
turning off the locking correctness validator.
CPU: 1 PID: 12344 Comm: syz-executor Not tainted 4.5.0-rc2+ #309
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005dcff4a0 ffffffff82be2c8d ffff88006c9b17c0
00000000ffffffff 0000000000000001 ffff88005dcff630 ffffffff81457780
ffff88005dcffff8 ffff88005dcf8000 00000000000015f0 ffffffffffff8000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82be2c8d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[< inline >] look_up_lock_class kernel/locking/lockdep.c:694
[< inline >] register_lock_class kernel/locking/lockdep.c:752
[<ffffffff81457780>] __lock_acquire+0x1110/0x4700 kernel/locking/lockdep.c:3103
[<ffffffff8145d1bc>] lock_acquire+0x1dc/0x430 kernel/locking/lockdep.c:3587
[<ffffffff8665e105>] _raw_spin_lock_irqsave_nested+0xa5/0xd0
kernel/locking/spinlock.c:381
[<ffffffff85cfcff1>] hashbin_delete+0x1b1/0x260 net/irda/irqueue.c:400
[<ffffffff85d071fb>] __irias_delete_object+0xab/0x170
net/irda/irias_object.c:111
[<ffffffff85d07331>] irias_delete_object+0x71/0xf0 net/irda/irias_object.c:139
[<ffffffff85d385b5>] ircomm_tty_detach_cable+0x1d5/0x3f0
net/irda/ircomm/ircomm_tty_attach.c:185
[<ffffffff85d33d4b>] ircomm_tty_shutdown+0x9b/0x2b0
net/irda/ircomm/ircomm_tty.c:883
[<ffffffff85d349b7>] ircomm_tty_close+0xa7/0x140
net/irda/ircomm/ircomm_tty.c:489
[<ffffffff82f85c9d>] tty_release+0x37d/0x1290 drivers/tty/tty_io.c:1793
[<ffffffff82f881a2>] tty_open+0x3a2/0x1070 drivers/tty/tty_io.c:2117
[<ffffffff817c864a>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388
[<ffffffff817b3e72>] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[<ffffffff817b754b>] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[<ffffffff817ead19>] path_openat+0xde9/0x5e30 fs/namei.c:3386
[<ffffffff817f359e>] do_filp_open+0x18e/0x250 fs/namei.c:3421
[<ffffffff817b7ccc>] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[<ffffffff817b7f1d>] SyS_open+0x2d/0x40 fs/open.c:1035
hashbin_delete() seems to maintain hashbin_lock_depth variable in a
completely thread-unsafe way. hashbin_lock_depth needs to be per-task
or something.
I am on commit 34229b277480f46c1e9a19f027f30b074512e68b.