BUG: soft lockup in kcov_ioctl

From: Kun Hu
Date: Wed Dec 25 2024 - 23:46:14 EST


Hello,

When using fuzzer tool to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
git tree: upstream
Console output: https://drive.google.com/file/d/1hHx0XqzeOIA6IZ-_nC_XviXb1nlt0bxI/view?usp=sharing
Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
C reproducer: /
Syzlang reproducer: /

Unfortunately, we're getting a stable reproduction of the program. If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>

watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [syz-executor:1847]
Modules linked in:
irq event stamp: 176368
hardirqs last enabled at (176367): [<ffffffff9dace9fb>] irqentry_exit+0x3b/0x90 kernel/entry/common.c:357
hardirqs last disabled at (176368): [<ffffffff9daccfcf>] sysvec_apic_timer_interrupt+0xf/0xb0 arch/x86/kernel/apic/apic.c:1049
softirqs last enabled at (176360): [<ffffffff95b0f4d4>] softirq_handle_end kernel/softirq.c:407 [inline]
softirqs last enabled at (176360): [<ffffffff95b0f4d4>] handle_softirqs+0x544/0x870 kernel/softirq.c:589
softirqs last disabled at (176351): [<ffffffff95b1117e>] __do_softirq kernel/softirq.c:595 [inline]
softirqs last disabled at (176351): [<ffffffff95b1117e>] invoke_softirq kernel/softirq.c:435 [inline]
softirqs last disabled at (176351): [<ffffffff95b1117e>] __irq_exit_rcu kernel/softirq.c:662 [inline]
softirqs last disabled at (176351): [<ffffffff95b1117e>] irq_exit_rcu+0xee/0x140 kernel/softirq.c:678
CPU: 3 UID: 0 PID: 1847 Comm: syz-executor Not tainted 6.13.0-rc3 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:102 [inline]
RIP: 0010:queued_spin_lock_slowpath+0xcb/0xc60 kernel/locking/qspinlock.c:324
Code: 00 00 00 49 01 c6 41 83 c5 03 be 04 00 00 00 48 89 df e8 98 61 76 f8 41 0f b6 06 41 38 c5 7c 08 84 c0 0f 85 f8 09 00 00 8b 03 <89> 44 24 48 85 c0 0f 85 6f 01 00 00 48 89 df be 04 00 00 00 e8 9c
RSP: 0018:ffa000002f0a7748 EFLAGS: 00000246
RAX: 0000000000000001 RBX: ff1100006a241cc0 RCX: ffffffff9daf9078
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ff1100006a241cc0
RBP: ffa000002f0a7790 R08: fff3fc0005e14f08 R09: ffe21c000d448399
R10: ffe21c000d448398 R11: ff1100006a241cc3 R12: 0000000000000001
R13: 0000000000000003 R14: ffe21c000d448398 R15: 1ffffffff3f91377
FS: 0000555575f4fa00(0000) GS:ff1100006a380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdfa8d3f000 CR3: 0000000038ad2003 CR4: 0000000000771ef0
PKRU: 80000000
Call Trace:
<IRQ>
</IRQ>
<TASK>
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x1de/0x290 kernel/locking/spinlock_debug.c:116
spin_lock include/linux/spinlock.h:351 [inline]
drain_pages_zone+0xa3/0x160 mm/page_alloc.c:2394
drain_pages+0x58/0x80 mm/page_alloc.c:2415
__drain_all_pages+0x291/0x3b0 mm/page_alloc.c:2504
drain_all_pages mm/page_alloc.c:2517 [inline]
__alloc_pages_direct_reclaim mm/page_alloc.c:3963 [inline]
__alloc_pages_slowpath.constprop.0+0x624/0x2170 mm/page_alloc.c:4380
__alloc_pages_noprof+0x564/0x660 mm/page_alloc.c:4764
alloc_pages_mpol_noprof+0xf2/0x400 mm/mempolicy.c:2269
vm_area_alloc_pages mm/vmalloc.c:3589 [inline]
__vmalloc_area_node mm/vmalloc.c:3667 [inline]
__vmalloc_node_range_noprof+0x9c0/0x12c0 mm/vmalloc.c:3844
vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:3998
kcov_ioctl+0x4c/0x500 kernel/kcov.c:716
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6a97aa732b
Code: 0f 92 c0 84 c0 75 b0 49 8d 3c 1c e8 1f 3f 03 00 85 c0 78 b1 48 83 c4 08 4c 89 e0 5b 41 5c c3 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd707a66e8 EFLAGS: 00000207 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f6a97aa732b
RDX: 0000000000040000 RSI: ffffffff80086301 RDI: 00000000000000e0
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000207 R12: 00007f6a97c6a6d8
R13: 0000000000000003 R14: 0000000000000002 R15: 00007ffd707a676c
</TASK>
Sending NMI from CPU 3 to CPUs 0-2:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:tasklet_action_common+0x7f/0x810 kernel/softirq.c:827
Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a8 06 00 00 48 89 6d 08 e8 ac ac 40 00 fb 48 bb 00 00 00 00 00 fc ff df <4c> 8b 6c 24 10 49 c1 ed 03 49 8d 44 1d 00 48 89 04 24 4d 85 ff 75
RSP: 0018:ffa00000001bfdc0 EFLAGS: 00000206
RAX: 000000001b406ed8 RBX: dffffc0000000000 RCX: 1ffffffff4437279
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
RBP: ff1100006a2a87a0 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff44379c2 R11: ffffffffa21bce17 R12: 000000000003b18c
R13: 0000000000000006 R14: 0000000000000006 R15: ff11000041ba15e8
FS: 0000000000000000(0000) GS:ff1100006a280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd8127e0090 CR3: 00000000350f0005 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<NMI>
</NMI>
<TASK>
handle_softirqs+0x1ad/0x870 kernel/softirq.c:561
run_ksoftirqd kernel/softirq.c:950 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:942
smpboot_thread_fn+0x669/0xa80 kernel/smpboot.c:164
kthread+0x345/0x450 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
NMI backtrace for cpu 2 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
NMI backtrace for cpu 2 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:106 [inline]
NMI backtrace for cpu 2 skipped: idling at default_idle+0x1e/0x30 arch/x86/kernel/process.c:742
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 1729 Comm: syz.3.13 Not tainted 6.13.0-rc3 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:get_current arch/x86/include/asm/current.h:49 [inline]
RIP: 0010:__rcu_read_unlock+0xc6/0x570 kernel/rcu/tree_plugin.h:440
Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e bf 01 00 00 8b 85 00 04 00 00 85 c0 75 57 <65> 48 8b 1d 92 ae 32 6a 48 8d bb fc 03 00 00 48 b8 00 00 00 00 00
RSP: 0018:ffa0000000007e08 EFLAGS: 00000206
RAX: 0000000000000016 RBX: ff1100006a23d240 RCX: 1ffffffff501ee6b
RDX: 0000000000000000 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffffffa0326300 R08: 0000000000000001 R09: fffffbfff501ead5
R10: fffffbfff501ead4 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000200 R14: ffa0000000007e00 R15: 1ff4000000000fc9
FS: 00007f4bda0d2700(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f880e276310 CR3: 000000004167e005 CR4: 0000000000771ef0
PKRU: 80000000
Call Trace:
<NMI>
</NMI>
<IRQ>
rcu_read_unlock include/linux/rcupdate.h:882 [inline]
ieee80211_rx_napi+0x117/0x410 net/mac80211/rx.c:5493
ieee80211_rx include/net/mac80211.h:5166 [inline]
ieee80211_handle_queued_frames+0xd9/0x130 net/mac80211/main.c:441
tasklet_action_common+0x279/0x810 kernel/softirq.c:811
handle_softirqs+0x1ad/0x870 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu kernel/softirq.c:662 [inline]
irq_exit_rcu+0xee/0x140 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x94/0xb0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x1f4/0x580 kernel/locking/lockdep.c:5817
Code: 9a 24 3b 6a 83 f8 01 0f 85 00 03 00 00 9c 58 f6 c4 02 0f 85 eb 02 00 00 48 83 3c 24 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffa00000152ef590 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ff4000002a5deb5 RCX: 0000000000000001
RDX: 1fe22000005095af RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000050 R09: fffffbfff501ead5
R10: fffffbfff501ead4 R11: ffffffffa80f56a7 R12: 0000000000000000
R13: ff1100006a241cd8 R14: 0000000000000001 R15: 0000000000000000
__raw_spin_trylock include/linux/spinlock_api_smp.h:90 [inline]
_raw_spin_trylock+0x68/0x80 kernel/locking/spinlock.c:138
spin_trylock include/linux/spinlock.h:361 [inline]
rmqueue_pcplist mm/page_alloc.c:3030 [inline]
rmqueue mm/page_alloc.c:3074 [inline]
get_page_from_freelist+0x4de/0x3800 mm/page_alloc.c:3471
__alloc_pages_noprof+0x2f0/0x660 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0xf2/0x400 mm/mempolicy.c:2269
folio_alloc_mpol_noprof+0x38/0xa0 mm/mempolicy.c:2287
shmem_alloc_folio+0x137/0x160 mm/shmem.c:1794
shmem_alloc_and_add_folio mm/shmem.c:1833 [inline]
shmem_get_folio_gfp mm/shmem.c:2355 [inline]
shmem_get_folio_gfp.isra.0+0x45e/0x13d0 mm/shmem.c:2255
shmem_get_folio mm/shmem.c:2461 [inline]
shmem_write_begin+0x14f/0x2f0 mm/shmem.c:3117
generic_perform_write+0x290/0x850 mm/filemap.c:4055
shmem_file_write_iter+0x111/0x140 mm/shmem.c:3293
new_sync_write fs/read_write.c:586 [inline]
vfs_write fs/read_write.c:679 [inline]
vfs_write+0xb9b/0x10f0 fs/read_write.c:659
ksys_write+0x122/0x240 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4bdb3f018f
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2d 44 89 c7 48 89 44 24 08 e8 cc fd ff ff 48
RSP: 002b:00007f4bda0d1940 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f4bdb3f018f
RDX: 0000000001000000 RSI: 00007f4bd1cb2000 RDI: 0000000000000009
RBP: 00007f4bd1cb2000 R08: 0000000000000000 R09: 00000000000046db
R10: 00000000000046db R11: 0000000000000293 R12: 0000000000000000
R13: 00007f4bda0d1a0c R14: 00007f4bda0d1a10 R15: 00000000200047c2
</TASK>


---------------
thanks,
Kun Hu