syzbot


possible deadlock in vfs_fallocate

Status: fixed on 2019/03/28 12:00
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+148c2885d71194f18d28@syzkaller.appspotmail.com
Fix commit: fb4415a12632 staging: android: ashmem: Don't call fallocate() with ashmem_mutex held.
First crash: 2240d, last: 2129d
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.0 00/46] 5.0.1-stable review 59 (59) 2019/03/12 09:50
[PATCH 4.20 00/76] 4.20.15-stable review 81 (81) 2019/03/09 22:35
[PATCH 4.19 00/68] 4.19.28-stable review 73 (73) 2019/03/09 22:35
possible deadlock in __do_page_fault 19 (22) 2019/01/29 10:44
possible deadlock in vfs_fallocate 3 (5) 2019/01/22 14:26
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 possible deadlock in vfs_fallocate C error 2871 656d 1883d 0/1 upstream: reported C repro on 2019/04/21 16:20

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)

======================================================
WARNING: possible circular locking dependency detected
4.18.0+ #187 Not tainted
------------------------------------------------------
syz-executor101/4313 is trying to acquire lock:
(____ptrval____) (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2738 [inline]
(____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0 fs/open.c:318

but task is already holding lock:
(____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 drivers/staging/android/ashmem.c:442

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:757 [inline]
       __mutex_lock+0x17f/0x18a0 kernel/locking/mutex.c:894
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909
       ashmem_mmap+0x53/0x4a0 drivers/staging/android/ashmem.c:361
       call_mmap include/linux/fs.h:1798 [inline]
       mmap_region+0xe39/0x1b50 mm/mmap.c:1762
       do_mmap+0xa06/0x1320 mm/mmap.c:1535
       do_mmap_pgoff include/linux/mm.h:2306 [inline]
       vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
       ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
       __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #2 (&mm->mmap_sem){++++}:
       __might_fault+0x155/0x1e0 mm/memory.c:4565
       _copy_to_user+0x30/0x110 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       filldir+0x1ea/0x3a0 fs/readdir.c:196
       dir_emit_dot include/linux/fs.h:3402 [inline]
       dir_emit_dots include/linux/fs.h:3413 [inline]
       dcache_readdir+0x13a/0x620 fs/libfs.c:192
       iterate_dir+0x4b0/0x5d0 fs/readdir.c:51
       __do_sys_getdents fs/readdir.c:231 [inline]
       __se_sys_getdents fs/readdir.c:212 [inline]
       __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&sb->s_type->i_mutex_key#10){++++}:
       down_write+0x8f/0x130 kernel/locking/rwsem.c:70
       inode_lock include/linux/fs.h:715 [inline]
       generic_file_write_iter+0xed/0x870 mm/filemap.c:3289
       call_write_iter include/linux/fs.h:1793 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x6c6/0x9f0 fs/read_write.c:487
       vfs_write+0x1f8/0x560 fs/read_write.c:549
       kernel_write+0xab/0x120 fs/read_write.c:526
       fork_usermode_blob+0x11c/0x1b0 kernel/umh.c:493
       load_umh+0x2b/0xbd net/bpfilter/bpfilter_kern.c:93
       do_one_initcall+0x127/0x913 init/main.c:884
       do_initcall_level init/main.c:952 [inline]
       do_initcalls init/main.c:960 [inline]
       do_basic_setup init/main.c:978 [inline]
       kernel_init_freeable+0x49b/0x58e init/main.c:1135
       kernel_init+0x11/0x1b3 init/main.c:1061
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413

-> #0 (sb_writers#3){.+.+}:
       lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x1e9/0x300 fs/super.c:1403
       file_start_write include/linux/fs.h:2738 [inline]
       vfs_fallocate+0x5be/0x8d0 fs/open.c:318
       ashmem_shrink_scan+0x1f9/0x580 drivers/staging/android/ashmem.c:449
       ashmem_ioctl+0x3dd/0x13c0 drivers/staging/android/ashmem.c:791
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
       __do_sys_ioctl fs/ioctl.c:708 [inline]
       __se_sys_ioctl fs/ioctl.c:706 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(sb_writers#3);

 *** DEADLOCK ***

1 lock held by syz-executor101/4313:
 #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 drivers/staging/android/ashmem.c:442

stack backtrace:
CPU: 0 PID: 4313 Comm: syz-executor101 Not tainted 4.18.0+ #187
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_circular_bug.isra.36.cold.57+0x1bd/0x27d kernel/locking/lockdep.c:1227
 check_prev_add kernel/locking/lockdep.c:1867 [inline]
 check_prevs_add kernel/locking/lockdep.c:1980 [inline]
 validate_chain kernel/locking/lockdep.c:2421 [inline]
 __lock_acquire+0x3449/0x5020 kernel/locking/lockdep.c:3435
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
 percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
 __sb_start_write+0x1e9/0x300 fs/super.c:1403
 file_start_write include/linux/fs.h:2738 [inline]
 vfs_fallocate+0x5be/0x8d0 fs/open.c:318
 ashmem_shrink_scan+0x1f9/0x580 drivers/staging/android/ashmem.c:449
 ashmem_ioctl+0x3dd/0x13c0 drivers/staging/android/ashmem.c:791
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440099
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007ffe0b216298 EFLAGS:

Crashes (3981):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/14 06:10 upstream 7796916146b8 7a88b141 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/12 20:16 upstream d6dd6431591b 7a88b141 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/10 17:43 upstream 112cbae26d18 1fb62d58 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/09 21:06 upstream 112cbae26d18 1fb62d58 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/29 15:25 upstream cdface520934 d5a5d045 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/18 19:19 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 18:03 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 16:37 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 13:26 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 12:00 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 10:09 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 09:03 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 07:39 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 06:01 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 04:22 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 03:12 upstream 1f7a4c73a739 db1858f6 .config console log report ci-upstream-kasan-gce-root
2018/08/18 01:24 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 23:58 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 20:49 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 19:44 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 18:41 upstream 5c60a7389d79 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 17:19 upstream 5c60a7389d79 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 16:05 upstream 5c60a7389d79 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 14:35 upstream 5c60a7389d79 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 13:28 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 13:16 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 11:14 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 08:49 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 06:40 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 03:51 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 02:34 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 01:25 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 21:48 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 18:18 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 17:16 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 15:58 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 14:14 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 12:38 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 11:38 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 10:35 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 08:48 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 06:32 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 00:03 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 21:18 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 19:19 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.