INFO: task hung in fuse_mount_remove
From: Wei Chen
Date: Sun Oct 30 2022 - 05:51:42 EST
Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1tgzWXmjFknwTTo-Y7gSi48OdM7kyVrxb/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
INFO: task syz-executor.0:6566 blocked for more than 143 seconds.
Not tainted 5.15.0-rc5 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:10408 pid: 6566 ppid: 1 flags:0x00004004
Call Trace:
__schedule+0x4a1/0x1720
schedule+0x36/0xe0
rwsem_down_write_slowpath+0x322/0x7a0
fuse_mount_remove+0x26/0x90
fuse_sb_destroy+0x23/0x50
fuse_kill_sb_anon+0x11/0x20
deactivate_locked_super+0x42/0x90
deactivate_super+0x9d/0xb0
cleanup_mnt+0x153/0x1d0
task_work_run+0x86/0xe0
exit_to_user_mode_prepare+0x25e/0x280
syscall_exit_to_user_mode+0x19/0x60
do_syscall_64+0x40/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46aba7
RSP: 002b:00007ffdca8286e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000046aba7
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffdca8287a0
RBP: 00007ffdca8298a0 R08: 0000000002d3ddd3 R09: 000000000000000c
R10: 00000000fffffffb R11: 0000000000000246 R12: 0000000002d3dd00
R13: 0000000000000002 R14: 0000000000000032 R15: 0000000000000bb8
Showing all locks held in the system:
1 lock held by khungtaskd/29:
#0: ffffffff8641dee0 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x15/0x17a
1 lock held by in:imklog/6175:
#0: ffff888013fda6f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x92/0xa0
2 locks held by agetty/6224:
#0: ffff888013f03098 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x20/0x50
#1: ffffc900008472e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0x203/0x930
2 locks held by agetty/6232:
#0: ffff88810ac7d898 (&tty->ldisc_sem){++++}-{0:0}, at:
tty_ldisc_ref_wait+0x20/0x50
#1: ffffc9000084b2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at:
n_tty_read+0x203/0x930
2 locks held by syz-executor.0/6566:
#0: ffff88802dbeb0e0 (&type->s_umount_key#53){+.+.}-{3:3}, at:
deactivate_super+0x95/0xb0
#1: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at: fuse_mount_remove+0x26/0x90
1 lock held by syz-executor.0/1879:
#0: ffff88803ca09b38 (&fc->killsb){++++}-{3:3}, at:
fuse_dev_do_write+0x532/0x14f0
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0xcd/0x134
nmi_cpu_backtrace.cold.8+0xf3/0x118
nmi_trigger_cpumask_backtrace+0x18f/0x1c0
watchdog+0x9a0/0xb10
kthread+0x1a6/0x1e0
ret_from_fork+0x1f/0x30
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 10409 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:perf_trace_lock_acquire+0x156/0x1a0
Code: 00 53 e8 5d 47 1d 00 5e 5f 48 8b 45 d0 65 48 33 04 25 28 00 00
00 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 03 <48> 85
c0 0f 85 1c ff ff ff eb d4 41 bd 18 00 07 00 41 bc 06 00 00
RSP: 0000:ffffc90002d97c80 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffe8ffffc42d38 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90002d97cd8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: 000000000000000e
R13: 00000000000f0018 R14: ffffffff86338f00 R15: ffff88810ae79b28
FS: 00007f9a23fd1700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000110c96000 CR4: 00000000003526e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
lock_acquire+0x184/0x330
__might_fault+0x92/0xc0
copy_fpstate_to_sigframe+0x5a8/0x680
get_sigframe.isra.16+0xb1/0x1b0
arch_do_signal_or_restart+0x53a/0x870
exit_to_user_mode_prepare+0x138/0x280
irqentry_exit_to_user_mode+0x5/0x40
exc_page_fault+0x4a4/0x1130
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x4064fb
Code: c7 f0 fe ff ff e8 65 06 02 00 85 c0 0f 84 95 01 00 00 64 f0 83
2c 25 b8 ff ff ff 01 48 8b 54 24 18 48 8b 44 24 28 4c 8b 42 78 <8b> 00
49 83 f8 ff 89 82 80 00 00 00 0f 84 13 01 00 00 48 8b 44 24
RSP: 002b:00007f9a23fd0c40 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 000000000119bfa0
RDX: 000000000119bfa0 RSI: 0000000000000001 RDI: 00007f9a23fd15f0
RBP: 000000000119bfa8 R08: 0000000000000000 R09: 000000000119bfa8
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac
R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007ffdca829770
----------------
Code disassembly (best guess):
0: 00 53 e8 add %dl,-0x18(%rbx)
3: 5d pop %rbp
4: 47 1d 00 5e 5f 48 rex.RXB sbb $0x485f5e00,%eax
a: 8b 45 d0 mov -0x30(%rbp),%eax
d: 65 48 33 04 25 28 00 xor %gs:0x28,%rax
14: 00 00
16: 75 4a jne 0x62
18: 48 8d 65 d8 lea -0x28(%rbp),%rsp
1c: 5b pop %rbx
1d: 41 5c pop %r12
1f: 41 5d pop %r13
21: 41 5e pop %r14
23: 41 5f pop %r15
25: 5d pop %rbp
26: c3 retq
27: 48 8b 03 mov (%rbx),%rax
* 2a: 48 85 c0 test %rax,%rax <-- trapping instruction
2d: 0f 85 1c ff ff ff jne 0xffffff4f
33: eb d4 jmp 0x9
35: 41 bd 18 00 07 00 mov $0x70018,%r13d
3b: 41 rex.B
3c: bc .byte 0xbc
3d: 06 (bad)
Best,
Wei