syzbot


possible deadlock in shmem_fallocate (2)

Status: fixed on 2019/03/28 12:00
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+4b8b031b89e6b96c4b2e@syzkaller.appspotmail.com
Fix commit: fb4415a12632 staging: android: ashmem: Don't call fallocate() with ashmem_mutex held.
First crash: 2075d, last: 1867d
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.0 00/46] 5.0.1-stable review 59 (59) 2019/03/12 09:50
[PATCH 4.20 00/76] 4.20.15-stable review 81 (81) 2019/03/09 22:35
[PATCH 4.19 00/68] 4.19.28-stable review 73 (73) 2019/03/09 22:35
possible deadlock in __do_page_fault 19 (22) 2019/01/29 10:44
possible deadlock in shmem_fallocate (2) 5 (7) 2019/01/22 18:49
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in shmem_fallocate (2) 2 1430d 1497d 0/1 auto-closed as invalid on 2020/09/14 02:25
upstream possible deadlock in shmem_fallocate mm 8087 2371d 2415d 0/26 closed as invalid on 2017/11/05 09:38
linux-4.19 possible deadlock in shmem_fallocate 1 1719d 1719d 0/1 auto-closed as invalid on 2019/11/29 05:22
android-49 possible deadlock in shmem_fallocate C 2441 1594d 1831d 0/3 public: reported C repro on 2019/04/11 08:44
android-414 possible deadlock in shmem_fallocate C 7876 1595d 1832d 0/1 public: reported C repro on 2019/04/11 00:00
upstream possible deadlock in shmem_fallocate (3) mm 1 1684d 1680d 0/26 auto-closed as invalid on 2019/11/05 02:34
upstream possible deadlock in shmem_fallocate (4) mm C done 81 1357d 1572d 15/26 fixed on 2020/09/16 22:51

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.20.0-rc2+ #117 Not tainted
------------------------------------------------------
syz-executor874/6070 is trying to acquire lock:
00000000403dc15a (&sb->s_type->i_mutex_key#11){+.+.}, at: inode_lock include/linux/fs.h:757 [inline]
00000000403dc15a (&sb->s_type->i_mutex_key#11){+.+.}, at: shmem_fallocate+0x18b/0x12c0 mm/shmem.c:2604

but task is already holding lock:
0000000019817b16 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x660 drivers/staging/android/ashmem.c:448

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
       ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
       call_mmap include/linux/fs.h:1862 [inline]
       mmap_region+0xe85/0x1cd0 mm/mmap.c:1786
       do_mmap+0xa22/0x1230 mm/mmap.c:1559
       do_mmap_pgoff include/linux/mm.h:2328 [inline]
       vm_mmap_pgoff+0x213/0x2c0 mm/util.c:350
       ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1609
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
       __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&mm->mmap_sem){++++}:
       down_read+0x8d/0x120 kernel/locking/rwsem.c:24
       do_user_addr_fault arch/x86/mm/fault.c:1362 [inline]
       __do_page_fault+0xbc9/0xe60 arch/x86/mm/fault.c:1489
       do_page_fault+0xf2/0x7e0 arch/x86/mm/fault.c:1520
       page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1139
       fault_in_pages_readable include/linux/pagemap.h:609 [inline]
       iov_iter_fault_in_readable+0x363/0x450 lib/iov_iter.c:424
       generic_perform_write+0x216/0x6a0 mm/filemap.c:3130
       __generic_file_write_iter+0x26e/0x630 mm/filemap.c:3265
       generic_file_write_iter+0x34d/0x6b0 mm/filemap.c:3293
       call_write_iter include/linux/fs.h:1857 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
       vfs_write+0x1fc/0x560 fs/read_write.c:549
       ksys_write+0x101/0x260 fs/read_write.c:598
       __do_sys_write fs/read_write.c:610 [inline]
       __se_sys_write fs/read_write.c:607 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:607
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&sb->s_type->i_mutex_key#11){+.+.}:
       lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
       down_write+0x8a/0x130 kernel/locking/rwsem.c:70
       inode_lock include/linux/fs.h:757 [inline]
       shmem_fallocate+0x18b/0x12c0 mm/shmem.c:2604
       ashmem_shrink_scan+0x238/0x660 drivers/staging/android/ashmem.c:455
       ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:509 [inline]
       do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
       ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
       __do_sys_ioctl fs/ioctl.c:720 [inline]
       __se_sys_ioctl fs/ioctl.c:718 [inline]
       __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#11);

 *** DEADLOCK ***

1 lock held by syz-executor874/6070:
 #0: 0000000019817b16 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x660 drivers/staging/android/ashmem.c:448

stack backtrace:
CPU: 1 PID: 6070 Comm: syz-executor874 Not tainted 4.20.0-rc2+ #117
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_circular_bug.isra.35.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2347 [inline]
 __lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341
 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
 down_write+0x8a/0x130 kernel/locking/rwsem.c:70
 inode_lock include/linux/fs.h:757 [inline]
 shmem_fallocate+0x18b/0x12c0 mm/shmem.c:2604
 ashmem_shrink_scan+0x238/0x660 drivers/staging/android/ashmem.c:455
 ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446329
Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff3c438ada8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446329
RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000004
RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac3c
R13: dfdd4f11168a8b2b R14: 6873612f7665642f R15: 00000000006dad2c

Crashes (1325):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/17 15:48 upstream 1ce80e0fe98e b08ee62a .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/09/07 22:03 upstream a49a9dcce802 69cfeb80 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/09/07 20:49 upstream a49a9dcce802 69cfeb80 .config console log report syz C ci-upstream-kasan-gce-root
2018/09/07 19:43 upstream a49a9dcce802 69cfeb80 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/08/31 08:48 upstream 217c3e019675 a4718693 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/20 17:16 upstream 2ad0d5269970 2dc4378f .config console log report syz C ci-upstream-kasan-gce-root
2018/12/26 19:05 linux-next 6a1d293238c1 8a41a0ad .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/09/08 07:05 linux-next f2b6e66e9885 6b5120a4 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/31 11:50 linux-next a880148cb2af a4718693 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/24 02:24 linux-next 455fb5ec1df1 95b5c82b .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/18 05:43 linux-next d7857ae43dcc db1858f6 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/14 12:44 linux-next 4e8b38549b50 7a88b141 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/12 19:59 linux-next 4110b42356f3 7a88b141 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/10 11:41 linux-next 4110b42356f3 1fb62d58 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/11/08 16:57 upstream 85758777c2a2 e85d2a61 .config console log report syz ci-upstream-kasan-gce-smack-root
2018/11/08 06:43 upstream e09d51adfbb1 e85d2a61 .config console log report syz ci-upstream-kasan-gce-root
2018/11/08 04:38 upstream e09d51adfbb1 e85d2a61 .config console log report syz ci-upstream-kasan-gce-selinux-root
2018/11/05 18:02 linux-next 55e5059cb572 8bd6bd63 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/03/06 22:43 upstream afe6fe7036c6 18215b8d .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/06 19:01 upstream 3717f613f48d 05cf83bf .config console log report ci-upstream-kasan-gce-root
2019/03/05 19:57 upstream 63bdf4284c38 16559f86 .config console log report ci-upstream-kasan-gce-root
2019/03/05 12:46 upstream cd2a3bf02625 bb91cf81 .config console log report ci-upstream-kasan-gce-root
2019/03/04 07:17 upstream 1c163f4c7b3f 7c693b52 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/04 01:31 upstream 1c163f4c7b3f 1c0e457a .config console log report ci-upstream-kasan-gce-smack-root
2019/03/02 20:32 upstream c93d9218ea56 1c0e457a .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/02 02:30 upstream a215ce8f0e00 68d9e495 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/01 04:54 upstream 7d762d69145a 09aeeba4 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/27 23:04 upstream 7d762d69145a 34ec456b .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/27 11:39 upstream 7d762d69145a 083cfd0e .config console log report ci-upstream-kasan-gce-smack-root
2019/02/27 04:00 upstream 7d762d69145a f2468c12 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/26 23:33 upstream 7d762d69145a f2468c12 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/26 22:30 upstream 7d762d69145a f2468c12 .config console log report ci-upstream-kasan-gce-root
2019/02/26 13:37 upstream 7d762d69145a a36ecd98 .config console log report ci-upstream-kasan-gce-root
2019/02/26 03:57 upstream 7d762d69145a 8022bafd .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/25 23:54 upstream 7d762d69145a 8022bafd .config console log report ci-upstream-kasan-gce-smack-root
2019/02/25 10:33 upstream 5908e6b738e3 a70141bf .config console log report ci-upstream-kasan-gce-root
2019/02/25 08:14 upstream 5908e6b738e3 7a06e792 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/24 20:33 upstream c3619a482e15 7a06e792 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/24 07:33 upstream e60b5f79bd75 7a06e792 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/24 05:31 upstream e60b5f79bd75 7a06e792 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/22 13:27 upstream 8a61716ff2ab 6a5fcca4 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/22 12:19 upstream 8a61716ff2ab 6a5fcca4 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/21 08:20 upstream f6163d67cc31 c95f0707 .config console log report ci-upstream-kasan-gce-root
2019/02/20 21:06 upstream 2137397c92ae c95f0707 .config console log report ci-upstream-kasan-gce-root
2019/02/20 09:44 upstream 40e196a906d9 c95f0707 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/19 19:01 upstream b5372fe5dc84 4df543c9 .config console log report ci-upstream-kasan-gce-root
2019/02/19 09:34 upstream b5372fe5dc84 59f36113 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/18 14:43 upstream 2fee036af043 59f36113 .config console log report ci-upstream-kasan-gce-smack-root
2019/02/18 10:44 upstream 2fee036af043 59f36113 .config console log report ci-upstream-kasan-gce-root
2019/02/17 04:01 upstream 64c0133eb88a f42dee6d .config console log report ci-upstream-kasan-gce-root
2019/02/15 23:56 upstream 5ded5871030e f42dee6d .config console log report ci-upstream-kasan-gce-smack-root
2019/02/15 20:12 upstream cb5b020a8d38 f6f233c0 .config console log report ci-upstream-kasan-gce-root
2019/01/21 20:05 upstream 49a57857aeea badbbeee .config console log report ci-upstream-kasan-gce-386
2019/02/18 03:18 linux-next 7a92eb7cc1dc 59f36113 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/17 12:21 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/17 10:55 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/17 02:38 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/17 01:45 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/17 00:41 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/16 18:17 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/16 16:51 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/16 15:28 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/16 14:09 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/16 11:57 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/14 11:02 linux-next b3418f8bddf4 6a46f448 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/14 03:35 linux-next c4f3ef3eb53f 6a46f448 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/02/13 16:00 linux-next c4f3ef3eb53f 0a49c954 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/08/10 08:53 linux-next 4110b42356f3 1fb62d58 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.