On Sun, Apr 8, 2018 at 2:58 PM, Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp wrote:
I manually simplified the reproducer.
It is quite strange that removing unshare() hides this lockup bug. Also, explicitly closing by "close()" hides this lockup bug. Triggering "fput() from do_exit()" from "different namespace" somehow affects this lockup bug?
#define _GNU_SOURCE #include <fcntl.h> #include <sched.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/soundcard.h>
int main(int argc, char *argv[]) { const int fd = open("/dev/dsp1", O_RDWR); int frag = (0 << 16) | 0; char buf[48] = { }; unshare(CLONE_NEWNS); ioctl(fd, SNDCTL_DSP_SETFRAGMENT, &frag); write(fd, buf, sizeof(buf)); return 0; }
Takashi has already fixed this. See this thread: https://groups.google.com/forum/#!searchin/syzkaller-bugs/%22INFO$3A$20rcu$2...
The fix commit includes tag this bug: Reported-by: syzbot+4f2016cf5185da7759dc@syzkaller.appspotmail.com But it's just that it's mentioned in the thread for another bug.