syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [166]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING: possible circular locking dependency detected

Status: public: reported C repro on 2019/04/10 16:14
Reported-by: syzbot+3d7a062f7e24a60c347a@syzkaller.appspotmail.com
First crash: 2463d, last: 2068d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: possible circular locking dependency detected (2) 1 2805d 2805d 0/28 closed as invalid on 2017/09/30 06:49
upstream WARNING: possible circular locking dependency detected (4) net C 27 2596d 2604d 8/28 fixed on 2018/07/09 18:05
upstream WARNING: possible circular locking dependency detected 1 2815d 2815d 0/28 closed as invalid on 2017/09/24 05:49
upstream WARNING: possible circular locking dependency detected (3) 1 2803d 2803d 0/28 closed as invalid on 2017/10/02 13:49

Sample crash report:
audit: type=1400 audit(1570422625.373:7): avc:  denied  { map } for  pid=1786 comm="syz-executor080" path="/root/syz-executor080881991" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1570422625.423:8): avc:  denied  { map } for  pid=1787 comm="syz-executor080" path="/dev/ashmem" dev="devtmpfs" ino=5461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.147+ #0 Not tainted
------------------------------------------------------
syz-executor080/1790 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<        (ptrval)>] inode_lock include/linux/fs.h:718 [inline]
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<        (ptrval)>] shmem_fallocate+0x150/0xae0 mm/shmem.c:2902

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<        (ptrval)>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       ashmem_mmap+0x4c/0x450 drivers/staging/android/ashmem.c:369
       call_mmap include/linux/fs.h:1793 [inline]
       mmap_region+0x7d9/0xfb0 mm/mmap.c:1732
       do_mmap+0x548/0xb80 mm/mmap.c:1510
       do_mmap_pgoff include/linux/mm.h:2209 [inline]
       vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1560 [inline]
       SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1518
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&mm->mmap_sem){++++}:
       down_read+0x37/0xa0 kernel/locking/rwsem.c:24
       __do_page_fault+0x8a4/0xbb0 arch/x86/mm/fault.c:1356
       page_fault+0x22/0x50 arch/x86/entry/entry_64.S:1122
       fault_in_pages_readable include/linux/pagemap.h:606 [inline]
       iov_iter_fault_in_readable+0x162/0x350 lib/iov_iter.c:421
       generic_perform_write+0x158/0x460 mm/filemap.c:3122
       __generic_file_write_iter+0x32e/0x550 mm/filemap.c:3257
       generic_file_write_iter+0x36f/0x650 mm/filemap.c:3285
       call_write_iter include/linux/fs.h:1788 [inline]
       new_sync_write fs/read_write.c:471 [inline]
       __vfs_write+0x401/0x5a0 fs/read_write.c:484
       vfs_write+0x17f/0x4d0 fs/read_write.c:546
       SYSC_pwrite64 fs/read_write.c:636 [inline]
       SyS_pwrite64+0x136/0x160 fs/read_write.c:623
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sb->s_type->i_mutex_key#10){+.+.}:
       lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:718 [inline]
       shmem_fallocate+0x150/0xae0 mm/shmem.c:2902
       ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
       ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
       ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor080/1790:
 #0:  (ashmem_mutex){+.+.}, at: [<        (ptrval)>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

stack backtrace:
CPU: 0 PID: 1790 Comm: syz-executor080 Not tainted 4.14.147+ #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2f5f/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
 down_write+0x34/0x90 kernel/locking/rwsem.c:54
 inode_lock include/linux/fs.h:718 [inline]
 shmem_fallocate+0x150/0xae0 mm/shmem.c:2902
 ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
 ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
 ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44a869
RSP: 002b:00007f09881bfd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a869
RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000004
RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 0000000000020001 R14: ed01040200746178 R15: 2e73666b6d903ceb

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/07 04:33 android-4.14 9674240fb29c f3f7d9c8 .config console log report syz C ci-android-414-kasan-gce-root
2019/09/09 03:29 android-4.14 4eccd8013349 a60cb4cd .config console log report syz C ci-android-414-kasan-gce-root
2019/08/27 08:53 android-4.14 f5189d4af2b5 d21c5d9d .config console log report syz C ci-android-414-kasan-gce-root
2019/06/20 07:55 android-4.14 334aa9b115f3 34bf9440 .config console log report syz C ci-android-414-kasan-gce-root
2018/09/07 19:14 android-4.14 b859aa7d7a0c 69cfeb80 .config console log report syz C ci-android-414-kasan-gce-root
2019/06/05 14:39 android-4.14 50f99a65439b bfb4a51e .config console log report syz ci-android-414-kasan-gce-root
2019/04/09 11:52 android-4.14 d8414567db62 995065ff .config console log report syz ci-android-414-kasan-gce-root
2019/04/08 09:23 android-4.14 171fc237b3cb c34fde03 .config console log report syz ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.