/
report0
169 lines (169 loc) · 9.89 KB
/
report0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 4e9c1067 P4D 4e9c1067 PUD 48f24067 PMD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 23810 Comm: syz-executor.0 Not tainted 6.3.0-rc3-intel-next-213f5bdb6525+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:io_poll_remove_entry io_uring/poll.c:182 [inline]
RIP: 0010:io_poll_remove_entries.part.16+0x14a/0x310 io_uring/poll.c:220
Code: 06 00 00 00 89 de e8 75 1e 59 ff 80 fb 06 0f 84 c5 01 00 00 e8 07 1d 59 ff 49 8b 84 24 a8 00 00 00 48 8b 58 40 e8 f6 1c 59 ff <4c> 8b 63 08 4d 85 e4 74 38 e8 e8 1c 59 ff 4c 89 e7 e8 70 91 26 01
RSP: 0018:ffffc9000f77bb78 EFLAGS: 00010212
RAX: 0000000000000403 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc90001089000 RSI: ffff88800a8f8000 RDI: 0000000000000002
RBP: ffffc9000f77bb90 R08: 0000000000000019 R09: 0000000000000001
R10: ffff88800a8f8d98 R11: 0000000000000000 R12: ffff888056aa4a00
R13: 0000000000000000 R14: 0000000000000059 R15: 0000000001000000
FS: 00007f19e65b4700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000043a62006 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
io_poll_remove_entries io_uring/poll.c:198 [inline]
__io_arm_poll_handler+0x30c/0x520 io_uring/poll.c:603
io_arm_poll_handler+0x2cf/0x530 io_uring/poll.c:734
io_queue_async+0x88/0x2f0 io_uring/io_uring.c:2057
io_queue_sqe io_uring/io_uring.c:2088 [inline]
io_req_task_submit+0x122/0x140 io_uring/io_uring.c:1425
io_poll_task_func+0x4c6/0x700 io_uring/poll.c:346
handle_tw_list io_uring/io_uring.c:1184 [inline]
tctx_task_work+0x1d3/0x650 io_uring/io_uring.c:1246
task_work_run+0xb6/0x120 kernel/task_work.c:179
get_signal+0xd6b/0x14a0 kernel/signal.c:2635
arch_do_signal_or_restart+0x33/0x280 arch/x86/kernel/signal.c:307
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x13b/0x210 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x2d/0x60 kernel/entry/common.c:296
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x4773bd
Code: db 48 89 d8 5b 5d 41 5c 41 5d 41 5e c3 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f19e65b4108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 000000000059bf80 RCX: 00000000004773bd
RDX: 0000000020000080 RSI: 0000000000005437 RDI: 0000000000000003
RBP: 000000000059bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc1fece28f R14: 00007ffc1fece410 R15: 00007f19e65b4280
</TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:io_poll_remove_entry io_uring/poll.c:182 [inline]
RIP: 0010:io_poll_remove_entries.part.16+0x14a/0x310 io_uring/poll.c:220
Code: 06 00 00 00 89 de e8 75 1e 59 ff 80 fb 06 0f 84 c5 01 00 00 e8 07 1d 59 ff 49 8b 84 24 a8 00 00 00 48 8b 58 40 e8 f6 1c 59 ff <4c> 8b 63 08 4d 85 e4 74 38 e8 e8 1c 59 ff 4c 89 e7 e8 70 91 26 01
RSP: 0018:ffffc9000f77bb78 EFLAGS: 00010212
RAX: 0000000000000403 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc90001089000 RSI: ffff88800a8f8000 RDI: 0000000000000002
RBP: ffffc9000f77bb90 R08: 0000000000000019 R09: 0000000000000001
R10: ffff88800a8f8d98 R11: 0000000000000000 R12: ffff888056aa4a00
R13: 0000000000000000 R14: 0000000000000059 R15: 0000000001000000
FS: 00007f19e65b4700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000043a62006 CR4: 0000000000f70ef0
PKRU: 55555554
note: syz-executor.0[23810] exited with irqs disabled
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 23810, name: syz-executor.0
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 0 PID: 23810 Comm: syz-executor.0 Tainted: G D 6.3.0-rc3-intel-next-213f5bdb6525+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xe0/0x110 lib/dump_stack.c:106
dump_stack+0x19/0x20 lib/dump_stack.c:113
__might_resched+0x1c2/0x2e0 kernel/sched/core.c:10058
__might_sleep+0x46/0x70 kernel/sched/core.c:9987
__mutex_lock_common kernel/locking/mutex.c:580 [inline]
__mutex_lock+0x54/0xcb0 kernel/locking/mutex.c:747
mutex_lock_nested+0x1f/0x30 kernel/locking/mutex.c:799
io_uring_del_tctx_node+0x84/0x110 io_uring/tctx.c:169
io_uring_clean_tctx+0x74/0xf0 io_uring/tctx.c:185
io_uring_cancel_generic+0x452/0x4e0 io_uring/io_uring.c:3260
__io_uring_cancel+0x1f/0x30 io_uring/io_uring.c:3274
io_uring_files_cancel include/linux/io_uring.h:55 [inline]
do_exit+0x227/0x12b0 kernel/exit.c:824
make_task_dead+0x100/0x290 kernel/exit.c:981
rewind_stack_and_make_dead+0x17/0x20 arch/x86/entry/entry_64.S:1541
RIP: 0033:0x4773bd
Code: db 48 89 d8 5b 5d 41 5c 41 5d 41 5e c3 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f19e65b4108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 000000000059bf80 RCX: 00000000004773bd
RDX: 0000000020000080 RSI: 0000000000005437 RDI: 0000000000000003
RBP: 000000000059bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc1fece28f R14: 00007ffc1fece410 R15: 00007f19e65b4280
</TASK>
------------[ cut here ]------------
Voluntary context switch within RCU read-side critical section!
WARNING: CPU: 0 PID: 23810 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x4f0/0x5b0 kernel/rcu/tree_plugin.h:318
Modules linked in:
CPU: 0 PID: 23810 Comm: syz-executor.0 Tainted: G D W 6.3.0-rc3-intel-next-213f5bdb6525+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:rcu_note_context_switch+0x4f0/0x5b0 kernel/rcu/tree_plugin.h:318
Code: 1f d7 01 85 c0 75 02 0f 0b 49 8b 4c 24 58 48 8b 53 20 e9 6f fd ff ff 48 c7 c7 c0 8d 99 83 c6 05 52 58 dd 02 01 e8 10 c0 ef ff <0f> 0b e9 a4 fb ff ff a9 ff ff ff 7f 0f 84 0c fc ff ff 65 48 8b 3c
RSP: 0018:ffffc9000f77bbf8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88807dc36180 RCX: ffffffff8111835b
RDX: 0000000000000000 RSI: ffff88800a8f8000 RDI: 0000000000000002
RBP: ffffc9000f77bc20 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000002ea2 R11: 000000000000b7b8 R12: ffff88807dc352c0
R13: ffff88800a8f8000 R14: 0000000000000000 R15: ffff88800a8f8000
FS: 00007f19e65b4700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000043a62001 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
__schedule+0xe1/0xc30 kernel/sched/core.c:6522
schedule+0x5b/0xe0 kernel/sched/core.c:6698
schedule_preempt_disabled+0x1c/0x30 kernel/sched/core.c:6757
mutex_optimistic_spin kernel/locking/mutex.c:510 [inline]
__mutex_lock_common kernel/locking/mutex.c:607 [inline]
__mutex_lock+0xad4/0xcb0 kernel/locking/mutex.c:747
mutex_lock_nested+0x1f/0x30 kernel/locking/mutex.c:799
io_uring_del_tctx_node+0x84/0x110 io_uring/tctx.c:169
io_uring_clean_tctx+0x74/0xf0 io_uring/tctx.c:185
io_uring_cancel_generic+0x452/0x4e0 io_uring/io_uring.c:3260
__io_uring_cancel+0x1f/0x30 io_uring/io_uring.c:3274
io_uring_files_cancel include/linux/io_uring.h:55 [inline]
do_exit+0x227/0x12b0 kernel/exit.c:824
make_task_dead+0x100/0x290 kernel/exit.c:981
rewind_stack_and_make_dead+0x17/0x20 arch/x86/entry/entry_64.S:1541
RIP: 0033:0x4773bd
Code: db 48 89 d8 5b 5d 41 5c 41 5d 41 5e c3 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f19e65b4108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 000000000059bf80 RCX: 00000000004773bd
RDX: 0000000020000080 RSI: 0000000000005437 RDI: 0000000000000003
RBP: 000000000059bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc1fece28f R14: 00007ffc1fece410 R15: 00007f19e65b4280
</TASK>
irq event stamp: 602
hardirqs last enabled at (601): [<ffffffff82faea5b>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (601): [<ffffffff82faea5b>] _raw_spin_unlock_irq+0x2b/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (602): [<ffffffff82f8d8de>] exc_page_fault+0x4e/0x3b0 arch/x86/mm/fault.c:1573
softirqs last enabled at (0): [<ffffffff811148b8>] copy_process+0x1298/0x2c60 kernel/fork.c:2204
softirqs last disabled at (0): [<0000000000000000>] 0x0
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 00 00 add %al,(%rax)
2: 89 de mov %ebx,%esi
4: e8 75 1e 59 ff call 0xff591e7e
9: 80 fb 06 cmp $0x6,%bl
c: 0f 84 c5 01 00 00 je 0x1d7
12: e8 07 1d 59 ff call 0xff591d1e
17: 49 8b 84 24 a8 00 00 mov 0xa8(%r12),%rax
1e: 00
1f: 48 8b 58 40 mov 0x40(%rax),%rbx
23: e8 f6 1c 59 ff call 0xff591d1e
* 28: 4c 8b 63 08 mov 0x8(%rbx),%r12 <-- trapping instruction
2c: 4d 85 e4 test %r12,%r12
2f: 74 38 je 0x69
31: e8 e8 1c 59 ff call 0xff591d1e
36: 4c 89 e7 mov %r12,%rdi
39: e8 70 91 26 01 call 0x12691ae