syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [166]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

possible deadlock in do_io_accounting

Status: public: reported syz repro on 2019/04/12 00:01
Reported-by: syzbot+5fb1a5a226b752b23fdc@syzkaller.appspotmail.com
First crash: 2600d, last: 2415d
Similar bugs (8)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in do_io_accounting 4 C 4521 2162d 2398d 0/3 public: reported C repro on 2019/04/12 00:00
android-44 possible deadlock in do_io_accounting 4 C 28 2164d 2399d 0/2 public: reported C repro on 2019/04/11 08:44
linux-4.19 possible deadlock in do_io_accounting 4 C done 4 2227d 2338d 1/1 fixed on 2019/12/10 20:49
upstream possible deadlock in do_io_accounting (3) fs 4 C inconclusive done 39 2049d 2139d 15/29 fixed on 2020/08/18 22:40
linux-4.19 possible deadlock in do_io_accounting (2) 4 syz error 26 1879d 2142d 0/1 upstream: reported syz repro on 2019/12/24 07:12
upstream possible deadlock in do_io_accounting fs 4 syz 1003 2413d 2891d 0/29 closed as dup on 2017/12/12 21:27
upstream possible deadlock in do_io_accounting (2) fs 4 1 2387d 2384d 0/29 auto-closed as invalid on 2019/10/20 09:03
linux-4.14 possible deadlock in do_io_accounting 4 C error 56 1376d 2325d 0/1 upstream: reported C repro on 2019/06/24 03:04

Sample crash report:
random: cc1: uninitialized urandom read (8 bytes read)
audit: type=1400 audit(1537649248.581:9): avc:  denied  { map } for  pid=1826 comm="syz-execprog" path="/root/syzkaller-shm889316429" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1

======================================================
WARNING: possible circular locking dependency detected
4.14.71+ #8 Not tainted
------------------------------------------------------
syz-executor5/4593 is trying to acquire lock:
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff8329e337>] do_io_accounting+0x1d7/0x770 fs/proc/base.c:2717

but task is already holding lock:
 (&p->lock){+.+.}, at: [<ffffffff831d06c4>] seq_read+0xd4/0x11d0 fs/seq_file.c:165

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&p->lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       seq_read+0xd4/0x11d0 fs/seq_file.c:165
       proc_reg_read+0xef/0x170 fs/proc/inode.c:217
       do_loop_readv_writev fs/read_write.c:698 [inline]
       do_iter_read+0x3cc/0x580 fs/read_write.c:922
       vfs_readv+0xe6/0x150 fs/read_write.c:984
       kernel_readv fs/splice.c:361 [inline]
       default_file_splice_read+0x495/0x860 fs/splice.c:416
       do_splice_to+0x102/0x150 fs/splice.c:880
       do_splice fs/splice.c:1173 [inline]
       SYSC_splice fs/splice.c:1402 [inline]
       SyS_splice+0xf4d/0x12a0 fs/splice.c:1382
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&pipe->mutex/1){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       __pipe_lock fs/pipe.c:88 [inline]
       fifo_open+0x156/0x9d0 fs/pipe.c:921
       do_dentry_open+0x426/0xda0 fs/open.c:764
       vfs_open+0x11c/0x210 fs/open.c:878
       do_last fs/namei.c:3408 [inline]
       path_openat+0x4eb/0x23a0 fs/namei.c:3550
       do_filp_open+0x197/0x270 fs/namei.c:3584
       do_open_execat+0x10d/0x5b0 fs/exec.c:849
       do_execveat_common.isra.14+0x6cb/0x1d60 fs/exec.c:1740
       do_execve fs/exec.c:1847 [inline]
       SYSC_execve fs/exec.c:1928 [inline]
       SyS_execve+0x34/0x40 fs/exec.c:1923
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sig->cred_guard_mutex){+.+.}:
       lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       do_io_accounting+0x1d7/0x770 fs/proc/base.c:2717
       proc_single_show+0xf1/0x160 fs/proc/base.c:748
       seq_read+0x4e0/0x11d0 fs/seq_file.c:237
       __vfs_read+0xf4/0x5b0 fs/read_write.c:411
       vfs_read+0x11e/0x330 fs/read_write.c:447
       SYSC_pread64 fs/read_write.c:615 [inline]
       SyS_pread64+0x136/0x160 fs/read_write.c:602
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &sig->cred_guard_mutex --> &pipe->mutex/1 --> &p->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&p->lock);
                               lock(&pipe->mutex/1);
                               lock(&p->lock);
  lock(&sig->cred_guard_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor5/4593:
 #0:  (&p->lock){+.+.}, at: [<ffffffff831d06c4>] seq_read+0xd4/0x11d0 fs/seq_file.c:165

stack backtrace:
CPU: 1 PID: 4593 Comm: syz-executor5 Not tainted 4.14.71+ #8
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_circular_bug.isra.18.cold.43+0x2d3/0x40c kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2ff9/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
 do_io_accounting+0x1d7/0x770 fs/proc/base.c:2717
 proc_single_show+0xf1/0x160 fs/proc/base.c:748
 seq_read+0x4e0/0x11d0 fs/seq_file.c:237
 __vfs_read+0xf4/0x5b0 fs/read_write.c:411
 vfs_read+0x11e/0x330 fs/read_write.c:447
 SYSC_pread64 fs/read_write.c:615 [inline]
 SyS_pread64+0x136/0x160 fs/read_write.c:602
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f3f75f96c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 00007f3f75f976d4 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 00000000200012c0 RDI: 0000000000000006
RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d4860 R14: 00000000004c30c2 R15: 0000000000000001

Crashes (70):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/22 20:55 android-4.14 666c420fa3ea 37079712 .config console log report syz ci-android-414-kasan-gce-root
2018/09/22 19:54 android-4.14 666c420fa3ea 37079712 .config console log report syz ci-android-414-kasan-gce-root
2018/09/22 00:19 android-4.14 666c420fa3ea 37079712 .config console log report syz ci-android-414-kasan-gce-root
2019/03/26 07:07 android-4.14 02b246355459 55684ce1 .config console log report ci-android-414-kasan-gce-root
2019/03/19 05:07 android-4.14 ea583d160621 46264c32 .config console log report ci-android-414-kasan-gce-root
2019/03/15 09:44 android-4.14 8ed9bc6e6401 bab43553 .config console log report ci-android-414-kasan-gce-root
2019/03/02 19:39 android-4.14 934272e9380b 1c0e457a .config console log report ci-android-414-kasan-gce-root
2019/02/28 15:22 android-4.14 0cc8f104f45a 09aeeba4 .config console log report ci-android-414-kasan-gce-root
2019/01/25 13:50 android-4.14 e1f5ad7212eb b5d78bce .config console log report ci-android-414-kasan-gce-root
2019/01/23 04:48 android-4.14 a4580ffc17d3 b1ff06b2 .config console log report ci-android-414-kasan-gce-root
2019/01/21 20:20 android-4.14 5a76363f1262 badbbeee .config console log report ci-android-414-kasan-gce-root
2019/01/19 17:52 android-4.14 5a76363f1262 8aa587b0 .config console log report ci-android-414-kasan-gce-root
2019/01/19 15:32 android-4.14 5a76363f1262 8aa587b0 .config console log report ci-android-414-kasan-gce-root
2018/12/30 02:04 android-4.14 7d2d5fc1acda 35e3f847 .config console log report ci-android-414-kasan-gce-root
2018/12/26 04:59 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/26 03:48 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/26 00:40 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/25 16:15 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/25 08:21 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/24 22:37 android-4.14 815e34f802d8 8a41a0ad .config console log report ci-android-414-kasan-gce-root
2018/12/15 10:51 android-4.14 4ee7197c44f6 c9128939 .config console log report ci-android-414-kasan-gce-root
2018/12/15 02:10 android-4.14 4ee7197c44f6 7624ddd6 .config console log report ci-android-414-kasan-gce-root
2018/12/14 02:40 android-4.14 4ee7197c44f6 fe7127be .config console log report ci-android-414-kasan-gce-root
2018/12/12 08:27 android-4.14 e525d2cfbe65 7795ae03 .config console log report ci-android-414-kasan-gce-root
2018/12/12 04:19 android-4.14 e525d2cfbe65 7795ae03 .config console log report ci-android-414-kasan-gce-root
2018/12/12 01:37 android-4.14 e525d2cfbe65 7795ae03 .config console log report ci-android-414-kasan-gce-root
2018/12/05 18:17 android-4.14 d11d7f1ccfb1 ac6c0578 .config console log report ci-android-414-kasan-gce-root
2018/12/05 09:54 android-4.14 d11d7f1ccfb1 f162ad97 .config console log report ci-android-414-kasan-gce-root
2018/12/05 02:02 android-4.14 d11d7f1ccfb1 f162ad97 .config console log report ci-android-414-kasan-gce-root
2018/12/04 22:39 android-4.14 d11d7f1ccfb1 f162ad97 .config console log report ci-android-414-kasan-gce-root
2018/12/04 21:27 android-4.14 d11d7f1ccfb1 6ad0ae61 .config console log report ci-android-414-kasan-gce-root
2018/12/04 12:45 android-4.14 d11d7f1ccfb1 6ad0ae61 .config console log report ci-android-414-kasan-gce-root
2018/11/28 13:47 android-4.14 f544ad0b1547 4b6d14f2 .config console log report ci-android-414-kasan-gce-root
2018/11/10 00:38 android-4.14 87485dbe777b f9815aaf .config console log report ci-android-414-kasan-gce-root
2018/11/09 13:24 android-4.14 2de3f80d5ba2 8fd01d3a .config console log report ci-android-414-kasan-gce-root
2018/11/09 06:07 android-4.14 2de3f80d5ba2 8fd01d3a .config console log report ci-android-414-kasan-gce-root
2018/11/08 19:23 android-4.14 6c95b90db52b e85d2a61 .config console log report ci-android-414-kasan-gce-root
2018/11/07 09:54 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report ci-android-414-kasan-gce-root
2018/11/06 21:02 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report ci-android-414-kasan-gce-root
2018/11/06 09:29 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report ci-android-414-kasan-gce-root
2018/11/06 06:44 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report ci-android-414-kasan-gce-root
2018/10/28 04:23 android-4.14 4ed22187defd 8efba39a .config console log report ci-android-414-kasan-gce-root
2018/10/24 20:56 android-4.14 35a066ea5bf9 a8292de9 .config console log report ci-android-414-kasan-gce-root
2018/10/20 10:44 android-4.14 0ff0788d6a66 ecb386fe .config console log report ci-android-414-kasan-gce-root
2018/10/20 06:43 android-4.14 0ff0788d6a66 ecb386fe .config console log report ci-android-414-kasan-gce-root
2018/10/20 06:16 android-4.14 0ff0788d6a66 ecb386fe .config console log report ci-android-414-kasan-gce-root
2018/10/19 14:51 android-4.14 0ff0788d6a66 9aba67b5 .config console log report ci-android-414-kasan-gce-root
2018/10/19 14:02 android-4.14 0ff0788d6a66 9aba67b5 .config console log report ci-android-414-kasan-gce-root
2018/10/18 15:01 android-4.14 6d46bcc5a747 d257b2d2 .config console log report ci-android-414-kasan-gce-root
2018/10/18 14:30 android-4.14 6d46bcc5a747 d257b2d2 .config console log report ci-android-414-kasan-gce-root
2018/10/17 23:22 android-4.14 6d46bcc5a747 b2695b95 .config console log report ci-android-414-kasan-gce-root
2018/10/15 14:53 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/15 13:11 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/15 07:28 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/15 03:38 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/14 14:24 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/13 17:20 android-4.14 48091d94336e caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/12 18:41 android-4.14 b7e40c3d444a caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/12 17:32 android-4.14 b7e40c3d444a caf12900 .config console log report ci-android-414-kasan-gce-root
2018/10/12 01:04 android-4.14 b7e40c3d444a ba6ddb43 .config console log report ci-android-414-kasan-gce-root
2018/10/11 19:04 android-4.14 b7e40c3d444a ba6ddb43 .config console log report ci-android-414-kasan-gce-root
2018/10/11 09:14 android-4.14 b7e40c3d444a 5f818b4b .config console log report ci-android-414-kasan-gce-root
2018/10/09 22:59 android-4.14 d33692e8014d 8b311eaf .config console log report ci-android-414-kasan-gce-root
2018/10/01 16:05 android-4.14 84ae3e35e1ce 48a50c6b .config console log report ci-android-414-kasan-gce-root
2018/09/30 02:20 android-4.14 84ae3e35e1ce 41e4b329 .config console log report ci-android-414-kasan-gce-root
2018/09/28 19:24 android-4.14 56aae8ee7423 137d7c66 .config console log report ci-android-414-kasan-gce-root
2018/09/24 06:19 android-4.14 666c420fa3ea 28d9ac76 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.