syzbot


possible deadlock in shmem_fallocate (4)

Status: fixed on 2020/09/16 22:51
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com
Fix commit: 3e338d3c95c7 staging: android: ashmem: Fix lockdep warning for write operation
First crash: 1643d, last: 1426d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.14 000/228] 4.14.194-rc1 review 234 (234) 2020/08/21 06:59
[PATCH 4.19 00/48] 4.19.139-rc1 review 61 (61) 2020/08/11 16:45
[PATCH 5.8 00/38] 5.8.1-rc1 review 46 (46) 2020/08/11 16:20
[PATCH 5.7 00/79] 5.7.15-rc1 review 83 (83) 2020/08/11 14:23
[PATCH 5.4 00/67] 5.4.58-rc1 review 71 (71) 2020/08/11 14:23
[PATCH v2 1/1] staging: android: ashmem: Fix lockdep warning for write operation 1 (1) 2020/07/30 19:26
[PATCH 1/1] staging: android: ashmem: Fix lockdep warning for write operation 5 (5) 2020/07/30 19:15
possible deadlock in shmem_fallocate (4) 14 (17) 2020/07/16 02:49
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in shmem_fallocate (2) 2 1498d 1566d 0/1 auto-closed as invalid on 2020/09/14 02:25
upstream possible deadlock in shmem_fallocate mm 8087 2440d 2483d 0/27 closed as invalid on 2017/11/05 09:38
linux-4.19 possible deadlock in shmem_fallocate 1 1788d 1788d 0/1 auto-closed as invalid on 2019/11/29 05:22
android-49 possible deadlock in shmem_fallocate C 2441 1663d 1900d 0/3 public: reported C repro on 2019/04/11 08:44
android-414 possible deadlock in shmem_fallocate C 7876 1663d 1900d 0/1 public: reported C repro on 2019/04/11 00:00
upstream possible deadlock in shmem_fallocate (3) mm 1 1752d 1748d 0/27 auto-closed as invalid on 2019/11/05 02:34
upstream possible deadlock in shmem_fallocate (2) mm C 1325 1935d 2144d 11/27 fixed on 2019/03/28 12:00

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
5.8.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
khugepaged/1158 is trying to acquire lock:
ffff8882071865b0 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:800 [inline]
ffff8882071865b0 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: shmem_fallocate+0x153/0xd90 mm/shmem.c:2707

but task is already holding lock:
ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_release mm/page_alloc.c:4202 [inline]
ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_release mm/page_alloc.c:4198 [inline]
ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __perform_reclaim mm/page_alloc.c:4227 [inline]
ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_direct_reclaim mm/page_alloc.c:4244 [inline]
ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_slowpath.constprop.0+0x1554/0x2780 mm/page_alloc.c:4650

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (fs_reclaim){+.+.}-{0:0}:
       __fs_reclaim_acquire mm/page_alloc.c:4183 [inline]
       fs_reclaim_acquire mm/page_alloc.c:4194 [inline]
       prepare_alloc_pages mm/page_alloc.c:4780 [inline]
       __alloc_pages_nodemask+0x3d1/0x930 mm/page_alloc.c:4832
       alloc_pages_vma+0xdd/0x720 mm/mempolicy.c:2255
       shmem_alloc_page+0x11f/0x1f0 mm/shmem.c:1502
       shmem_alloc_and_acct_page+0x161/0x8a0 mm/shmem.c:1527
       shmem_getpage_gfp+0x511/0x2450 mm/shmem.c:1823
       shmem_getpage mm/shmem.c:153 [inline]
       shmem_write_begin+0xf9/0x1d0 mm/shmem.c:2459
       generic_perform_write+0x20a/0x4f0 mm/filemap.c:3318
       __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3447
       generic_file_write_iter+0x3a6/0x5c0 mm/filemap.c:3479
       call_write_iter include/linux/fs.h:1908 [inline]
       new_sync_write+0x422/0x650 fs/read_write.c:503
       vfs_write+0x59d/0x6b0 fs/read_write.c:578
       ksys_write+0x12d/0x250 fs/read_write.c:631
       do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
       entry_SYSCALL_64_after_hwframe+0x44/0xa9

-> #0 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:2496 [inline]
       check_prevs_add kernel/locking/lockdep.c:2601 [inline]
       validate_chain kernel/locking/lockdep.c:3218 [inline]
       __lock_acquire+0x2acb/0x56e0 kernel/locking/lockdep.c:4380
       lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:4959
       down_write+0x8d/0x150 kernel/locking/rwsem.c:1531
       inode_lock include/linux/fs.h:800 [inline]
       shmem_fallocate+0x153/0xd90 mm/shmem.c:2707
       ashmem_shrink_scan.part.0+0x2e9/0x490 drivers/staging/android/ashmem.c:490
       ashmem_shrink_scan+0x6c/0xa0 drivers/staging/android/ashmem.c:473
       do_shrink_slab+0x3c6/0xab0 mm/vmscan.c:518
       shrink_slab+0x16f/0x5c0 mm/vmscan.c:679
       shrink_node_memcgs mm/vmscan.c:2658 [inline]
       shrink_node+0x519/0x1b60 mm/vmscan.c:2770
       shrink_zones mm/vmscan.c:2973 [inline]
       do_try_to_free_pages+0x38b/0x1340 mm/vmscan.c:3026
       try_to_free_pages+0x29a/0x8b0 mm/vmscan.c:3265
       __perform_reclaim mm/page_alloc.c:4223 [inline]
       __alloc_pages_direct_reclaim mm/page_alloc.c:4244 [inline]
       __alloc_pages_slowpath.constprop.0+0x949/0x2780 mm/page_alloc.c:4650
       __alloc_pages_nodemask+0x68f/0x930 mm/page_alloc.c:4863
       __alloc_pages include/linux/gfp.h:509 [inline]
       __alloc_pages_node include/linux/gfp.h:522 [inline]
       khugepaged_alloc_page+0xa0/0x170 mm/khugepaged.c:867
       collapse_huge_page mm/khugepaged.c:1056 [inline]
       khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
       khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
       khugepaged_do_scan mm/khugepaged.c:2193 [inline]
       khugepaged+0x3093/0x5a10 mm/khugepaged.c:2238
       kthread+0x3b5/0x4a0 kernel/kthread.c:291
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(fs_reclaim);
                               lock(&sb->s_type->i_mutex_key#15);
                               lock(fs_reclaim);
  lock(&sb->s_type->i_mutex_key#15);

 *** DEADLOCK ***

2 locks held by khugepaged/1158:
 #0: ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_release mm/page_alloc.c:4202 [inline]
 #0: ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_release mm/page_alloc.c:4198 [inline]
 #0: ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __perform_reclaim mm/page_alloc.c:4227 [inline]
 #0: ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_direct_reclaim mm/page_alloc.c:4244 [inline]
 #0: ffffffff89c6c260 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_slowpath.constprop.0+0x1554/0x2780 mm/page_alloc.c:4650
 #1: ffffffff89c46a90 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0xc7/0x5c0 mm/vmscan.c:669

stack backtrace:
CPU: 1 PID: 1158 Comm: khugepaged Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 check_noncircular+0x324/0x3e0 kernel/locking/lockdep.c:1827
 check_prev_add kernel/locking/lockdep.c:2496 [inline]
 check_prevs_add kernel/locking/lockdep.c:2601 [inline]
 validate_chain kernel/locking/lockdep.c:3218 [inline]
 __lock_acquire+0x2acb/0x56e0 kernel/locking/lockdep.c:4380
 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:4959
 down_write+0x8d/0x150 kernel/locking/rwsem.c:1531
 inode_lock include/linux/fs.h:800 [inline]
 shmem_fallocate+0x153/0xd90 mm/shmem.c:2707
 ashmem_shrink_scan.part.0+0x2e9/0x490 drivers/staging/android/ashmem.c:490
 ashmem_shrink_scan+0x6c/0xa0 drivers/staging/android/ashmem.c:473
 do_shrink_slab+0x3c6/0xab0 mm/vmscan.c:518
 shrink_slab+0x16f/0x5c0 mm/vmscan.c:679
 shrink_node_memcgs mm/vmscan.c:2658 [inline]
 shrink_node+0x519/0x1b60 mm/vmscan.c:2770
 shrink_zones mm/vmscan.c:2973 [inline]
 do_try_to_free_pages+0x38b/0x1340 mm/vmscan.c:3026
 try_to_free_pages+0x29a/0x8b0 mm/vmscan.c:3265
 __perform_reclaim mm/page_alloc.c:4223 [inline]
 __alloc_pages_direct_reclaim mm/page_alloc.c:4244 [inline]
 __alloc_pages_slowpath.constprop.0+0x949/0x2780 mm/page_alloc.c:4650
 __alloc_pages_nodemask+0x68f/0x930 mm/page_alloc.c:4863
 __alloc_pages include/linux/gfp.h:509 [inline]
 __alloc_pages_node include/linux/gfp.h:522 [inline]
 khugepaged_alloc_page+0xa0/0x170 mm/khugepaged.c:867
 collapse_huge_page mm/khugepaged.c:1056 [inline]
 khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
 khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
 khugepaged_do_scan mm/khugepaged.c:2193 [inline]
 khugepaged+0x3093/0x5a10 mm/khugepaged.c:2238
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Crashes (81):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/14 03:06 upstream 11ba468877bb f90ec899 .config console log report syz C ci-upstream-kasan-gce
2020/07/14 03:19 upstream 11ba468877bb f90ec899 .config console log report syz C ci-upstream-kasan-gce-386
2020/07/14 02:44 upstream 11ba468877bb f90ec899 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/07/14 00:31 upstream 11ba468877bb f90ec899 .config console log report syz ci-upstream-kasan-gce-root
2020/07/28 10:04 upstream 92ed30191993 cb93dc6a .config console log report ci-upstream-kasan-gce
2020/07/24 17:09 upstream f37e99aca03f 554af388 .config console log report ci-upstream-kasan-gce
2020/07/21 15:54 upstream 4fa640dc5230 d88894e6 .config console log report ci-upstream-kasan-gce
2020/07/18 03:48 upstream 8882572675c1 9c812472 .config console log report ci-upstream-kasan-gce
2020/07/17 08:26 upstream f8456690ba8e 54b3c45e .config console log report ci-upstream-kasan-gce
2020/07/13 19:10 upstream 11ba468877bb f90ec899 .config console log report ci-upstream-kasan-gce-root
2020/07/07 01:20 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/02 16:02 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce
2020/07/01 02:22 upstream 9ebcfadb0610 917afeaa .config console log report ci-upstream-kasan-gce
2020/06/24 21:55 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-smack-root
2020/06/13 16:33 upstream 7ae77150d94d f4724dd3 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/13 13:13 upstream 7ae77150d94d f4724dd3 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/09 13:43 upstream 7ae77150d94d 0d60b78a .config console log report ci-upstream-kasan-gce
2020/06/05 15:54 upstream 435faf5c218a 2420d1bc .config console log report ci-upstream-kasan-gce-selinux-root
2020/05/13 08:55 upstream 24085f70a6e1 a44eb8f7 .config console log report ci-upstream-kasan-gce
2020/04/25 03:46 upstream b4f633221f0a 03d97a1b .config console log report ci-upstream-kasan-gce-selinux-root
2020/04/24 09:43 upstream c578ddb39e56 2e44d63e .config console log report ci-upstream-kasan-gce-smack-root
2020/04/18 19:58 upstream 90280eaa88ac 365fba24 .config console log report ci-upstream-kasan-gce
2020/04/02 13:10 upstream 919dce24701f a34e2c33 .config console log report ci-upstream-kasan-gce-selinux-root
2020/03/30 13:40 upstream 7111951b8d49 c8d1cc20 .config console log report ci-upstream-kasan-gce-selinux-root
2020/03/29 15:36 upstream 906c40438bb6 05736b29 .config console log report ci-upstream-kasan-gce-smack-root
2020/03/27 11:54 upstream f3e69428b5e2 7d95711b .config console log report ci-upstream-kasan-gce-root
2020/03/24 18:48 upstream 76ccd234269b 68660b21 .config console log report ci-upstream-kasan-gce
2020/03/24 16:19 upstream 979e52ca0469 68660b21 .config console log report ci-upstream-kasan-gce
2020/03/22 13:04 upstream b74b991fb8b9 78267cec .config console log report ci-upstream-kasan-gce
2020/03/17 12:35 upstream fb33c6510d55 749688d2 .config console log report ci-upstream-kasan-gce
2020/03/08 19:36 upstream 378fee2e6b12 2e9971bb .config console log report ci-upstream-kasan-gce-smack-root
2020/03/07 23:48 upstream 63849c8f4107 2e9971bb .config console log report ci-upstream-kasan-gce
2020/03/06 17:44 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 16:03 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 10:21 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 06:51 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 05:13 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 02:56 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 02:01 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/06 01:52 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce-smack-root
2020/03/05 18:38 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/05 15:27 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/05 11:22 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/05 09:58 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/03/05 07:36 upstream 63623fd44972 c88c7b75 .config console log report ci-upstream-kasan-gce
2020/02/28 06:19 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce
2020/02/28 04:38 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce
2020/02/27 21:12 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce
2020/02/27 09:47 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce
2020/02/25 23:35 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce
2020/01/29 15:29 upstream b3a608222336 5ed23f9a .config console log report ci-upstream-kasan-gce-smack-root
2020/01/29 05:41 upstream c677124e631d c8e81ce4 .config console log report ci-upstream-kasan-gce-smack-root
2020/01/28 18:53 upstream b0be0eff1a5a c8e81ce4 .config console log report ci-upstream-kasan-gce
2020/01/24 18:23 upstream 4703d9119972 2e95ab33 .config console log report ci-upstream-kasan-gce
2020/01/12 13:49 upstream 6327edceb62b 53faa9fe .config console log report ci-qemu-upstream
2019/12/30 22:08 upstream fd6988496e79 af6b8ef8 .config console log report ci-upstream-kasan-gce
2019/12/24 08:22 upstream 46cf053efec6 be5c2c81 .config console log report ci-upstream-kasan-gce
2020/04/27 12:46 linux-next ac935d227366 0ce7569e .config console log report ci-upstream-linux-next-kasan-gce-root
2020/04/08 05:08 linux-next 5798bd75ab13 db9bcd4b .config console log report ci-upstream-linux-next-kasan-gce-root
2020/03/24 00:03 linux-next 770fbb32d34e 84f999d6 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.