syzbot


possible deadlock in proc_pid_attr_write

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+40351050f20892504e43@syzkaller.appspotmail.com
First crash: 2032d, last: 1853d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 possible deadlock in proc_pid_attr_write 3 1549d 1638d 0/1 auto-closed as invalid on 2020/05/23 15:46
upstream possible deadlock in proc_pid_attr_write (2) fs 1 1527d 1523d 0/26 auto-closed as invalid on 2020/04/15 17:32
linux-4.19 possible deadlock in proc_pid_attr_write 1 1312d 1312d 0/1 auto-closed as invalid on 2021/01/16 05:53
upstream possible deadlock in proc_pid_attr_write fs C 281 1851d 2326d 0/26 closed as dup on 2017/12/12 22:00
linux-4.14 possible deadlock in proc_pid_attr_write (2) 1 1095d 1095d 0/1 auto-closed as invalid on 2021/08/21 09:25
linux-4.19 possible deadlock in proc_pid_attr_write (2) 1 939d 939d 0/1 auto-closed as invalid on 2022/01/23 20:06

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1541159782.315:7): avc:  denied  { map } for  pid=1799 comm="syz-executor618" path="/root/syz-executor618887805" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

======================================================
WARNING: possible circular locking dependency detected
4.14.78+ #26 Not tainted
------------------------------------------------------
syz-executor618/1803 is trying to acquire lock:
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff890a106b>] proc_pid_attr_write+0x16b/0x280 fs/proc/base.c:2590

but task is already holding lock:
 (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_lock_nested fs/pipe.c:67 [inline]
 (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_lock fs/pipe.c:75 [inline]
 (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_wait+0x185/0x1b0 fs/pipe.c:123

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&pipe->mutex/1){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       __pipe_lock fs/pipe.c:88 [inline]
       fifo_open+0x156/0x9d0 fs/pipe.c:921
       do_dentry_open+0x426/0xda0 fs/open.c:764
       vfs_open+0x11c/0x210 fs/open.c:878
       do_last fs/namei.c:3408 [inline]
       path_openat+0x4eb/0x23a0 fs/namei.c:3550
       do_filp_open+0x197/0x270 fs/namei.c:3584
       do_open_execat+0x10d/0x5b0 fs/exec.c:849
       do_execveat_common.isra.14+0x6cb/0x1d60 fs/exec.c:1740
       do_execve fs/exec.c:1847 [inline]
       SYSC_execve fs/exec.c:1928 [inline]
       SyS_execve+0x34/0x40 fs/exec.c:1923
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sig->cred_guard_mutex){+.+.}:
       lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       proc_pid_attr_write+0x16b/0x280 fs/proc/base.c:2590
       __vfs_write+0xf4/0x5c0 fs/read_write.c:482
       __kernel_write+0xf3/0x330 fs/read_write.c:503
       write_pipe_buf+0x192/0x250 fs/splice.c:797
       splice_from_pipe_feed fs/splice.c:502 [inline]
       __splice_from_pipe+0x324/0x740 fs/splice.c:626
       splice_from_pipe+0xcf/0x130 fs/splice.c:661
       default_file_splice_write+0x37/0x80 fs/splice.c:809
       do_splice_from fs/splice.c:851 [inline]
       do_splice fs/splice.c:1147 [inline]
       SYSC_splice fs/splice.c:1402 [inline]
       SyS_splice+0xd06/0x12a0 fs/splice.c:1382
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&pipe->mutex/1);
                               lock(&sig->cred_guard_mutex);
                               lock(&pipe->mutex/1);
  lock(&sig->cred_guard_mutex);

 *** DEADLOCK ***

2 locks held by syz-executor618/1803:
 #0:  (sb_writers#7){.+.+}, at: [<ffffffff88ffe5cc>] file_start_write include/linux/fs.h:2722 [inline]
 #0:  (sb_writers#7){.+.+}, at: [<ffffffff88ffe5cc>] do_splice fs/splice.c:1146 [inline]
 #0:  (sb_writers#7){.+.+}, at: [<ffffffff88ffe5cc>] SYSC_splice fs/splice.c:1402 [inline]
 #0:  (sb_writers#7){.+.+}, at: [<ffffffff88ffe5cc>] SyS_splice+0xeac/0x12a0 fs/splice.c:1382
 #1:  (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_lock_nested fs/pipe.c:67 [inline]
 #1:  (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_lock fs/pipe.c:75 [inline]
 #1:  (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_wait+0x185/0x1b0 fs/pipe.c:123

stack backtrace:
CPU: 0 PID: 1803 Comm: syz-executor618 Not tainted 4.14.78+ #26
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_circular_bug.isra.18.cold.43+0x2d3/0x40c kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2ff9/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
 proc_pid_attr_write+0x16b/0x280 fs/proc/base.c:2590
 __vfs_write+0xf4/0x5c0 fs/read_write.c:482
 __kernel_write+0xf3/0x330 fs/read_write.c:503
 write_pipe_buf+0x192/0x250 fs/splice.c:797
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x324/0x740 fs/splice.c:626
 splice_from_pipe+0xcf/0x130 fs/splice.c:661
 default_file_splice_write+0x37/0x80 fs/splice.c:809
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0xd06/0x12a0 fs/splice.c:1382
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446389
RSP: 002b:00007fa9c038ad98 EFLAGS: 00000212 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446389
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dbc50 R08: 0000000000008ec0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc5c
R13: 6c65732d64616572 R14: 68742f636f72702f R15: 00000000006dbd4c

Crashes (203):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/02 12:00 android-4.14 4ed22187defd 1f38e9ae .config console log report syz C ci-android-414-kasan-gce-root
2018/10/21 10:05 android-4.14 c556d1ffe528 ecb386fe .config console log report syz C ci-android-414-kasan-gce-root
2018/12/24 02:47 android-4.14 815e34f802d8 e3bd7ab8 .config console log report syz ci-android-414-kasan-gce-root
2018/11/02 10:59 android-4.14 4ed22187defd 1f38e9ae .config console log report syz ci-android-414-kasan-gce-root
2018/10/22 17:10 android-4.14 c556d1ffe528 ecb386fe .config console log report syz ci-android-414-kasan-gce-root
2019/03/27 11:37 android-4.14 db689dd813b7 55684ce1 .config console log report ci-android-414-kasan-gce-root
2019/03/27 09:44 android-4.14 db689dd813b7 55684ce1 .config console log report ci-android-414-kasan-gce-root
2019/03/26 19:48 android-4.14 7df8ba42237b 55684ce1 .config console log report ci-android-414-kasan-gce-root
2019/03/25 18:35 android-4.14 4344de2f79ab 2c86e0a5 .config console log report ci-android-414-kasan-gce-root
2019/03/25 02:49 android-4.14 4344de2f79ab 2c86e0a5 .config console log report ci-android-414-kasan-gce-root
2019/03/23 00:49 android-4.14 cfbe30be85c4 3361bde5 .config console log report ci-android-414-kasan-gce-root
2019/03/21 13:41 android-4.14 cfbe30be85c4 427ea487 .config console log report ci-android-414-kasan-gce-root
2019/03/21 07:57 android-4.14 cfbe30be85c4 427ea487 .config console log report ci-android-414-kasan-gce-root
2019/03/20 07:25 android-4.14 0892a3e235e5 2458c1c6 .config console log report ci-android-414-kasan-gce-root
2019/03/17 05:54 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/16 22:40 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/16 05:38 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/16 03:44 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/15 12:51 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/15 05:04 android-4.14 8ed9bc6e6401 d72db19b .config console log report ci-android-414-kasan-gce-root
2019/03/15 03:57 android-4.14 8ed9bc6e6401 d72db19b .config console log report ci-android-414-kasan-gce-root
2019/03/14 17:31 android-4.14 8ed9bc6e6401 d09a902e .config console log report ci-android-414-kasan-gce-root
2019/03/13 00:24 android-4.14 b11964adfe4c a71bfb62 .config console log report ci-android-414-kasan-gce-root
2019/03/12 22:53 android-4.14 b11964adfe4c a71bfb62 .config console log report ci-android-414-kasan-gce-root
2019/03/12 20:00 android-4.14 b11964adfe4c a71bfb62 .config console log report ci-android-414-kasan-gce-root
2019/03/12 13:24 android-4.14 b11964adfe4c 12365b99 .config console log report ci-android-414-kasan-gce-root
2019/03/11 06:53 android-4.14 b11964adfe4c 12365b99 .config console log report ci-android-414-kasan-gce-root
2019/03/08 17:24 android-4.14 4df61bb7f2f6 12365b99 .config console log report ci-android-414-kasan-gce-root
2019/03/08 10:32 android-4.14 4df61bb7f2f6 12365b99 .config console log report ci-android-414-kasan-gce-root
2019/03/06 02:31 android-4.14 9ba09a217160 16559f86 .config console log report ci-android-414-kasan-gce-root
2019/03/04 20:41 android-4.14 934272e9380b 7c693b52 .config console log report ci-android-414-kasan-gce-root
2019/03/04 03:22 android-4.14 934272e9380b 1c0e457a .config console log report ci-android-414-kasan-gce-root
2019/03/03 03:56 android-4.14 934272e9380b 1c0e457a .config console log report ci-android-414-kasan-gce-root
2019/03/02 18:05 android-4.14 934272e9380b 1c0e457a .config console log report ci-android-414-kasan-gce-root
2019/03/02 08:40 android-4.14 934272e9380b 1c0e457a .config console log report ci-android-414-kasan-gce-root
2019/02/26 16:11 android-4.14 38aeba63ed0d a36ecd98 .config console log report ci-android-414-kasan-gce-root
2019/02/25 14:52 android-4.14 6bdf39bb26fd a70141bf .config console log report ci-android-414-kasan-gce-root
2019/02/25 01:16 android-4.14 6bdf39bb26fd 7a06e792 .config console log report ci-android-414-kasan-gce-root
2019/02/22 07:07 android-4.14 01709c953f89 7ff74a98 .config console log report ci-android-414-kasan-gce-root
2019/02/19 23:20 android-4.14 af9864a5122f 4df543c9 .config console log report ci-android-414-kasan-gce-root
2019/02/15 18:07 android-4.14 6142833f8318 f6f233c0 .config console log report ci-android-414-kasan-gce-root
2019/02/15 05:00 android-4.14 bfc525947c56 76dd003f .config console log report ci-android-414-kasan-gce-root
2019/02/13 21:39 android-4.14 8aa4b6802335 0a49c954 .config console log report ci-android-414-kasan-gce-root
2019/02/13 21:07 android-4.14 8aa4b6802335 0a49c954 .config console log report ci-android-414-kasan-gce-root
2019/02/12 08:59 android-4.14 d86c0425437e 65a0d619 .config console log report ci-android-414-kasan-gce-root
2019/02/10 15:36 android-4.14 57de59b3cf53 b4f792e4 .config console log report ci-android-414-kasan-gce-root
2019/02/10 11:35 android-4.14 57de59b3cf53 b4f792e4 .config console log report ci-android-414-kasan-gce-root
2019/02/07 02:02 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2018/09/29 07:59 android-4.14 56aae8ee7423 41e4b329 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.