INFO: task hung in ppp_ioctl

From: Wei Chen
Date: Sun Oct 30 2022 - 06:06:45 EST


Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1CZaZY-5qhU8R8Kx9yRxH3uk-Z-4Klr-H/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>

INFO: task syz-executor.0:21121 blocked for more than 143 seconds.
Not tainted 5.15.0-rc5 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:13736 pid:21121 ppid: 20431 flags:0x00004004
Call Trace:
__schedule+0x4a1/0x1720
schedule+0x36/0xe0
schedule_preempt_disabled+0xf/0x20
__mutex_lock+0x67a/0x9a0
ppp_ioctl+0x1247/0x1ee0
__x64_sys_ioctl+0xe8/0x140
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4692c9
RSP: 002b:00007f36d6808c38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004692c9
RDX: 0000000020000040 RSI: 00000000c004743e RDI: 0000000000000004
RBP: 000000000119bfb0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac
R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007ffeb87bf8c0

Showing all locks held in the system:
1 lock held by khungtaskd/29:
#0: ffffffff8641dee0 (rcu_read_lock){....}-{1:2}, at:
debug_show_all_locks+0x15/0x17a
1 lock held by in:imklog/6162:
#0: ffff88800f6a1af0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x92/0xa0
3 locks held by kworker/1:8/7427:
#0: ffff8881070edb38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#1: ffffc90005197e68 ((addr_chk_work).work){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#2: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at:
addrconf_verify_work+0xa/0x20
5 locks held by kworker/u4:4/2032:
#0: ffff888100046938 ((wq_completion)netns){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#1: ffffc900050cfe68 (net_cleanup_work){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#2: ffffffff86893750 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x4f/0x540
#3: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at:
default_device_exit_batch+0x81/0x1d0
#4: ffffffff864205b0 (rcu_state.barrier_mutex){+.+.}-{3:3}, at:
rcu_barrier+0x2b/0x280
3 locks held by kworker/0:54/20464:
#0: ffff888009856738 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#1: ffffc9000177be68 ((linkwatch_work).work){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#2: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xb/0x40
3 locks held by kworker/0:55/20465:
#0: ffff888009856f38
((wq_completion)events_power_efficient){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#1: ffffc9000178be68 ((reg_check_chans).work){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#2: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at:
reg_check_chans_work+0x37/0x7f0
3 locks held by kworker/0:144/20554:
#0: ffff888009856738 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#1: ffffc90002a73e68 (deferred_process_work){+.+.}-{0:0}, at:
process_one_work+0x327/0x9f0
#2: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at:
switchdev_deferred_process_work+0xa/0x20
2 locks held by syz-executor.0/21121:
#0: ffffffff866c6ec8 (ppp_mutex){+.+.}-{3:3}, at: ppp_ioctl+0x3c/0x1ee0
#1: ffffffff86897be8 (rtnl_mutex){+.+.}-{3:3}, at: ppp_ioctl+0x1247/0x1ee0

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0xcd/0x134
nmi_cpu_backtrace.cold.8+0xf3/0x118
nmi_trigger_cpumask_backtrace+0x18f/0x1c0
watchdog+0x9a0/0xb10
kthread+0x1a6/0x1e0
ret_from_fork+0x1f/0x30
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 2988 Comm: systemd-journal Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0033:0x7f9ecd0d80f4
Code: c0 0f 84 df 00 00 00 49 8d 2c 08 48 3b 6f 60 48 89 fb 77 42 8d
7e ff 48 8d 43 30 83 ff 07 bf 00 00 00 00 0f 43 f7 48 83 ec 08 <48> 8b
bb 48 01 00 00 41 51 49 89 c9 50 89 f1 41 50 44 0f b6 c2 8b
RSP: 002b:00007ffc82797cd8 EFLAGS: 00000216
RAX: 000056106a359cd0 RBX: 000056106a359ca0 RCX: 000000000024cc20
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000000
RBP: 00000000002591a8 R08: 000000000000c588 R09: 00007ffc82797d20
R10: 00000000000a43ba R11: 00007f9ec8b7d760 R12: 0000000000000001
R13: 00007ffc82797d98 R14: 0000000000000006 R15: 00007ffc82797d20
FS: 00007f9ecd3e98c0 GS: 0000000000000000

Best,
Wei