syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

possible deadlock in __might_fault

Status: auto-closed as invalid on 2020/03/25 09:38
Reported-by: syzbot+3e54a9114d866f76bf3e@syzkaller.appspotmail.com
First crash: 2040d, last: 1620d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in __might_fault staging C 8978 2242d 2257d 4/26 fixed on 2018/03/23 18:14
linux-4.19 possible deadlock in __might_fault C done 385 1598d 1848d 1/1 fixed on 2020/01/18 20:51
linux-4.14 possible deadlock in __might_fault C done 295 1607d 1847d 1/1 fixed on 2020/01/09 09:47
android-44 possible deadlock in __might_fault C 6745 2231d 2258d 2/2 fixed on 2018/04/24 18:02
android-49 possible deadlock in __might_fault C 10264 2237d 2258d 3/3 fixed on 2018/04/24 17:23
upstream possible deadlock in __might_fault (3) usb C 10722 1602d 2073d 0/26 closed as dup on 2018/09/16 01:51
upstream possible deadlock in __might_fault (2) net C 20 2195d 2198d 8/26 fixed on 2018/07/09 18:05

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.14.156-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/13253 is trying to acquire lock:
 (&mm->mmap_sem){++++}, at: [<0000000055f27dfb>] __might_fault+0xd4/0x1b0 mm/memory.c:4583

but task is already holding lock:
 (&cpuctx_mutex){+.+.}, at: [<00000000b7077004>] perf_event_ctx_lock_nested+0x15a/0x2d0 kernel/events/core.c:1241

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #5 (&cpuctx_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       perf_event_init_cpu+0xa8/0x150 kernel/events/core.c:11261
       perf_event_init+0x289/0x2c5 kernel/events/core.c:11308
       start_kernel+0x583/0x890 init/main.c:645
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240

-> #4 (pmus_lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       perf_event_init_cpu+0x2c/0x150 kernel/events/core.c:11255
       cpuhp_invoke_callback+0x207/0x1a30 kernel/cpu.c:184
       cpuhp_up_callbacks kernel/cpu.c:573 [inline]
       _cpu_up+0x20b/0x500 kernel/cpu.c:1135
       do_cpu_up+0x64/0x120 kernel/cpu.c:1170
       smp_init+0x142/0x154 kernel/smp.c:578
       kernel_init_freeable+0x196/0x3b0 init/main.c:1091
       kernel_init+0xd/0x164 init/main.c:1023
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:404

-> #3 (cpu_hotplug_lock.rw_sem){++++}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       cpus_read_lock+0x39/0xc0 kernel/cpu.c:295
       get_online_cpus include/linux/cpu.h:145 [inline]
       lru_add_drain_all+0xa/0x20 mm/swap.c:729
       shmem_wait_for_pins mm/shmem.c:2734 [inline]
       shmem_add_seals+0x632/0xf90 mm/shmem.c:2843
       shmem_fcntl+0xea/0x120 mm/shmem.c:2878
       do_fcntl+0x5c8/0xd20 fs/fcntl.c:421
       SYSC_fcntl fs/fcntl.c:463 [inline]
       SyS_fcntl+0xc6/0x100 fs/fcntl.c:448
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #2 (&sb->s_type->i_mutex_key#10){+.+.}:
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:724 [inline]
       shmem_fallocate+0x150/0xae0 mm/shmem.c:2904
       ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
       ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
       ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       ashmem_mmap+0x4c/0x450 drivers/staging/android/ashmem.c:369
       call_mmap include/linux/fs.h:1803 [inline]
       mmap_region+0x7d9/0xfb0 mm/mmap.c:1736
       do_mmap+0x548/0xb80 mm/mmap.c:1512
       do_mmap_pgoff include/linux/mm.h:2215 [inline]
       vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1564 [inline]
       SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1520
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&mm->mmap_sem){++++}:
       lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
       __might_fault mm/memory.c:4584 [inline]
       __might_fault+0x137/0x1b0 mm/memory.c:4569
       _copy_to_user+0x27/0xd0 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       perf_read_one kernel/events/core.c:4583 [inline]
       __perf_read kernel/events/core.c:4626 [inline]
       perf_read+0x579/0x7f0 kernel/events/core.c:4639
       __vfs_read+0xf9/0x590 fs/read_write.c:411
       vfs_read+0x131/0x330 fs/read_write.c:447
       SYSC_read fs/read_write.c:578 [inline]
       SyS_read+0x102/0x250 fs/read_write.c:571
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &mm->mmap_sem --> pmus_lock --> &cpuctx_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&cpuctx_mutex);
                               lock(pmus_lock);
                               lock(&cpuctx_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syz-executor.3/13253:
 #0:  (&cpuctx_mutex){+.+.}, at: [<00000000b7077004>] perf_event_ctx_lock_nested+0x15a/0x2d0 kernel/events/core.c:1241

stack backtrace:
CPU: 1 PID: 13253 Comm: syz-executor.3 Not tainted 4.14.156-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2f5f/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
 __might_fault mm/memory.c:4584 [inline]
 __might_fault+0x137/0x1b0 mm/memory.c:4569
 _copy_to_user+0x27/0xd0 lib/usercopy.c:25
 copy_to_user include/linux/uaccess.h:155 [inline]
 perf_read_one kernel/events/core.c:4583 [inline]
 __perf_read kernel/events/core.c:4626 [inline]
 perf_read+0x579/0x7f0 kernel/events/core.c:4639
 __vfs_read+0xf9/0x590 fs/read_write.c:411
 vfs_read+0x131/0x330 fs/read_write.c:447
 SYSC_read fs/read_write.c:578 [inline]
 SyS_read+0x102/0x250 fs/read_write.c:571
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a639
RSP: 002b:00007f6841e8dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a639
RDX: 0000000000000275 RSI: 0000000020367fe4 RDI: 000000000000000d
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6841e8e6d4
R13: 00000000004c6e53 R14: 00000000004de3f8 R15: 00000000ffffffff
ip6_tunnel: W xmit: Local address not yet configured!

Crashes (136):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/26 09:37 android-4.14 f9b4ab5c8e99 f746151a .config console log report ci-android-414-kasan-gce-root
2019/11/22 13:06 android-4.14 7bc77fd33905 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/10/20 18:05 android-4.14 234de92896af 8c88c9c1 .config console log report ci-android-414-kasan-gce-root
2019/10/12 08:13 android-4.14 5faab626bf1f 426631dd .config console log report ci-android-414-kasan-gce-root
2019/09/09 02:20 android-4.14 4eccd8013349 a60cb4cd .config console log report ci-android-414-kasan-gce-root
2019/09/08 00:00 android-4.14 4eccd8013349 a60cb4cd .config console log report ci-android-414-kasan-gce-root
2019/08/29 16:01 android-4.14 987732fcbbe3 fd37b39e .config console log report ci-android-414-kasan-gce-root
2019/08/13 16:27 android-4.14 98e47d9a1a3a 8620c2c2 .config console log report ci-android-414-kasan-gce-root
2019/06/28 11:57 android-4.14 93c338c2e7ba 7509bf36 .config console log report ci-android-414-kasan-gce-root
2019/06/27 22:07 android-4.14 93c338c2e7ba 7509bf36 .config console log report ci-android-414-kasan-gce-root
2019/05/02 12:31 android-4.14 c680586c4fb7 7516d9fa .config console log report ci-android-414-kasan-gce-root
2019/04/20 09:44 android-4.14 4353393c9d4a b0e8efcb .config console log report ci-android-414-kasan-gce-root
2019/04/20 06:20 android-4.14 4353393c9d4a b0e8efcb .config console log report ci-android-414-kasan-gce-root
2019/03/21 02:37 android-4.14 cfbe30be85c4 a664c187 .config console log report ci-android-414-kasan-gce-root
2019/02/25 16:36 android-4.14 6bdf39bb26fd a70141bf .config console log report ci-android-414-kasan-gce-root
2019/02/12 08:04 android-4.14 d86c0425437e 65a0d619 .config console log report ci-android-414-kasan-gce-root
2019/02/11 05:25 android-4.14 57de59b3cf53 b4f792e4 .config console log report ci-android-414-kasan-gce-root
2019/02/05 19:51 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 18:19 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 03:04 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/01/31 21:29 android-4.14 63d1657d00e0 0e8ea0a3 .config console log report ci-android-414-kasan-gce-root
2019/01/31 05:18 android-4.14 63d1657d00e0 aa432daf .config console log report ci-android-414-kasan-gce-root
2019/01/29 11:20 android-4.14 63d1657d00e0 aa432daf .config console log report ci-android-414-kasan-gce-root
2019/01/18 01:16 android-4.14 42506d99b820 769e75ed .config console log report ci-android-414-kasan-gce-root
2019/01/06 08:40 android-4.14 3c207c880674 53be0a37 .config console log report ci-android-414-kasan-gce-root
2019/01/05 23:25 android-4.14 3c207c880674 53be0a37 .config console log report ci-android-414-kasan-gce-root
2019/01/05 21:18 android-4.14 3c207c880674 53be0a37 .config console log report ci-android-414-kasan-gce-root
2019/01/05 19:14 android-4.14 3c207c880674 53be0a37 .config console log report ci-android-414-kasan-gce-root
2019/01/05 15:55 android-4.14 3c207c880674 53be0a37 .config console log report ci-android-414-kasan-gce-root
2018/12/31 19:35 android-4.14 7d2d5fc1acda 2b42fdc8 .config console log report ci-android-414-kasan-gce-root
2018/12/31 18:23 android-4.14 7d2d5fc1acda 2b42fdc8 .config console log report ci-android-414-kasan-gce-root
2018/12/30 22:56 android-4.14 7d2d5fc1acda 9942de5f .config console log report ci-android-414-kasan-gce-root
2018/12/30 18:26 android-4.14 7d2d5fc1acda 9942de5f .config console log report ci-android-414-kasan-gce-root
2018/12/30 15:49 android-4.14 7d2d5fc1acda 9942de5f .config console log report ci-android-414-kasan-gce-root
2018/12/27 07:55 android-4.14 815e34f802d8 e747ec98 .config console log report ci-android-414-kasan-gce-root
2018/12/27 01:13 android-4.14 815e34f802d8 e747ec98 .config console log report ci-android-414-kasan-gce-root
2018/12/24 00:48 android-4.14 815e34f802d8 e3bd7ab8 .config console log report ci-android-414-kasan-gce-root
2018/12/22 08:27 android-4.14 815e34f802d8 603b5124 .config console log report ci-android-414-kasan-gce-root
2018/12/22 06:33 android-4.14 815e34f802d8 603b5124 .config console log report ci-android-414-kasan-gce-root
2018/12/21 13:16 android-4.14 e9c7ae0eb4cb 588075e6 .config console log report ci-android-414-kasan-gce-root
2018/12/20 23:08 android-4.14 e9c7ae0eb4cb aaf59e84 .config console log report ci-android-414-kasan-gce-root
2018/12/20 10:47 android-4.14 2eaa69bd84cf 02e69052 .config console log report ci-android-414-kasan-gce-root
2018/12/20 08:36 android-4.14 2eaa69bd84cf 02e69052 .config console log report ci-android-414-kasan-gce-root
2018/12/17 19:51 android-4.14 310c9f0e31c8 def91db3 .config console log report ci-android-414-kasan-gce-root
2018/12/17 04:36 android-4.14 4ee7197c44f6 def91db3 .config console log report ci-android-414-kasan-gce-root
2018/12/16 23:05 android-4.14 4ee7197c44f6 def91db3 .config console log report ci-android-414-kasan-gce-root
2018/12/16 21:45 android-4.14 4ee7197c44f6 def91db3 .config console log report ci-android-414-kasan-gce-root
2018/12/15 02:15 android-4.14 4ee7197c44f6 7624ddd6 .config console log report ci-android-414-kasan-gce-root
2018/12/14 15:35 android-4.14 4ee7197c44f6 7624ddd6 .config console log report ci-android-414-kasan-gce-root
2018/12/04 09:44 android-4.14 d11d7f1ccfb1 03f94a45 .config console log report ci-android-414-kasan-gce-root
2018/12/03 03:26 android-4.14 d11d7f1ccfb1 7dcaeaf3 .config console log report ci-android-414-kasan-gce-root
2018/11/26 07:23 android-4.14 ea91d158d712 3d3ec907 .config console log report ci-android-414-kasan-gce-root
2018/11/22 01:45 android-4.14 fb396435d9dd 9db828b5 .config console log report ci-android-414-kasan-gce-root
2018/11/13 20:13 android-4.14 97c308ca4091 5f5f6d14 .config console log report ci-android-414-kasan-gce-root
2018/11/10 22:28 android-4.14 494c2659e60e f3c4e618 .config console log report ci-android-414-kasan-gce-root
2018/10/02 17:40 android-4.14 e6fa8a2046e5 a316a2af .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.