[PATCH] /dev/kmem : Debug preadv() progress.
From: Tetsuo Handa
Date: Mon Aug 12 2019 - 06:52:24 EST
syzbot is reporting unkillable thread when reading /dev/mem . To check
whether this is merely due to lack of fatal_signal_pending(current) test
or unexpectedly fallen into infinite loop, add debug printk(). This patch
is intended for linux-next only, and will be removed after the cause is
fixed.
INFO: task syz-executor.4:25539 can't die for more than 143 seconds.
syz-executor.4 R running task 28400 25539 25531 0x80004006
Call Trace:
context_switch kernel/sched/core.c:3265 [inline]
__schedule+0x76e/0x17d0 kernel/sched/core.c:3937
preempt_schedule_irq+0xb5/0x160 kernel/sched/core.c:4185
retint_kernel+0x1b/0x2b
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:205
Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 1f 00 c3 0f 1f 80 00 00 00 00 0f 1f 00 83 fa 40 0f 82 70 ff ff ff 89 d1 <f3> a4 31 c0 0f 1f 00 c3 66 2e 0f 1f 84 00 00 00 00 00 89 d1 f3 a4
RSP: 0018:ffff88808d76fb68 EFLAGS: 00010206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000040000 RBX: ffff8880925be2c0 RCX: 0000000000000c00
RDX: 0000000000001000 RSI: ffffc9000fbb2c00 RDI: ffff8880925beec0
RBP: ffff88808d76fb98 R08: ffff888060288440 R09: ffff8880aa402000
R10: 0000000000000000 R11: ffffea0002496f87 R12: 0000000000001000
R13: 00007ffffffff000 R14: ffffc9000fbb8000 R15: ffff888060288440
read_mem+0xfc/0x2c0 drivers/char/mem.c:163
do_loop_readv_writev fs/read_write.c:714 [inline]
do_loop_readv_writev fs/read_write.c:701 [inline]
do_iter_read+0x4a4/0x660 fs/read_write.c:935
vfs_readv+0xf0/0x160 fs/read_write.c:997
do_preadv+0x1c4/0x280 fs/read_write.c:1089
__do_sys_preadv fs/read_write.c:1139 [inline]
__se_sys_preadv fs/read_write.c:1134 [inline]
__x64_sys_preadv+0x9a/0xf0 fs/read_write.c:1134
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
https://syzkaller.appspot.com/text?tag=CrashLog&x=1469b8a6600000
https://syzkaller.appspot.com/text?tag=CrashLog&x=160a00a6600000
https://syzkaller.appspot.com/text?tag=CrashLog&x=16255326600000
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Cc: Arnd Bergmann <arnd@xxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
---
drivers/char/mem.c | 9 +++++++++
fs/read_write.c | 6 ++++++
2 files changed, 15 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index b08dc50..4c0225e 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -140,6 +140,9 @@ static ssize_t read_mem(struct file *file, char __user *buf,
int allowed, probe;
sz = size_inside_page(p, count);
+ if (IS_ENABLED(CONFIG_DEBUG_AID_FOR_SYZBOT) &&
+ fatal_signal_pending(current))
+ printk("read_mem: sz=%ld count=%ld\n", sz, count);
err = -EPERM;
allowed = page_is_allowed(p >> PAGE_SHIFT);
@@ -179,9 +182,15 @@ static ssize_t read_mem(struct file *file, char __user *buf,
kfree(bounce);
*ppos += read;
+ if (IS_ENABLED(CONFIG_DEBUG_AID_FOR_SYZBOT) &&
+ fatal_signal_pending(current))
+ printk("read_mem: read=%ld *ppos=%lld\n", read, *ppos);
return read;
failed:
+ if (IS_ENABLED(CONFIG_DEBUG_AID_FOR_SYZBOT) &&
+ fatal_signal_pending(current))
+ printk("read_mem: err=%d\n", err);
kfree(bounce);
return err;
}
diff --git a/fs/read_write.c b/fs/read_write.c
index 1f5088d..f5c7da1 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -710,6 +710,9 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
struct iovec iovec = iov_iter_iovec(iter);
ssize_t nr;
+ if (IS_ENABLED(CONFIG_DEBUG_AID_FOR_SYZBOT) &&
+ fatal_signal_pending(current))
+ printk("do_loop_readv_writev: iter->count=%ld iovec.iov_len=%ld\n", iter->count, iovec.iov_len);
if (type == READ) {
nr = filp->f_op->read(filp, iovec.iov_base,
iovec.iov_len, ppos);
@@ -717,6 +720,9 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
nr = filp->f_op->write(filp, iovec.iov_base,
iovec.iov_len, ppos);
}
+ if (IS_ENABLED(CONFIG_DEBUG_AID_FOR_SYZBOT) &&
+ fatal_signal_pending(current))
+ printk("do_loop_readv_writev: nr=%ld\n", nr);
if (nr < 0) {
if (!ret)
--
1.8.3.1