syzbot


possible deadlock in do_io_accounting

Status: upstream: reported C repro on 2019/06/24 03:04
Reported-by: syzbot+7ec38c73675a68bc3d4d@syzkaller.appspotmail.com
First crash: 1792d, last: 844d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in do_io_accounting C 4521 1629d 1865d 0/3 public: reported C repro on 2019/04/12 00:00
android-44 possible deadlock in do_io_accounting C 28 1631d 1866d 0/2 public: reported C repro on 2019/04/11 08:44
linux-4.19 possible deadlock in do_io_accounting C done 4 1694d 1806d 1/1 fixed on 2019/12/10 20:49
upstream possible deadlock in do_io_accounting (3) fs C inconclusive done 39 1516d 1606d 15/26 fixed on 2020/08/18 22:40
linux-4.19 possible deadlock in do_io_accounting (2) syz error 26 1346d 1609d 0/1 upstream: reported syz repro on 2019/12/24 07:12
upstream possible deadlock in do_io_accounting fs syz 1003 1881d 2359d 0/26 closed as dup on 2017/12/12 21:27
upstream possible deadlock in do_io_accounting (2) fs 1 1854d 1851d 0/26 auto-closed as invalid on 2019/10/20 09:03
android-414 possible deadlock in do_io_accounting syz 70 1882d 1865d 0/1 public: reported syz repro on 2019/04/12 00:01
Last patch testing requests (6)
Created Duration User Patch Repo Result
2023/02/10 14:32 9m retest repro linux-4.14.y report log
2023/02/10 13:32 9m retest repro linux-4.14.y report log
2023/02/10 12:32 9m retest repro linux-4.14.y report log
2022/09/20 16:29 15m retest repro linux-4.14.y report log
2022/09/20 15:29 11m retest repro linux-4.14.y report log
2022/09/20 14:29 10m retest repro linux-4.14.y report log
Fix bisection attempts (21)
Created Duration User Patch Repo Result
2022/02/26 14:49 0m bisect fix linux-4.14.y error job log (0)
2022/01/27 14:19 29m bisect fix linux-4.14.y job log (0) log
2021/12/28 13:47 32m bisect fix linux-4.14.y job log (0) log
2021/11/28 13:21 26m bisect fix linux-4.14.y job log (0) log
2021/10/29 12:38 31m bisect fix linux-4.14.y job log (0) log
2021/09/26 14:29 30m bisect fix linux-4.14.y job log (0) log
2021/08/27 14:03 26m bisect fix linux-4.14.y job log (0) log
2021/07/28 13:35 27m bisect fix linux-4.14.y job log (0) log
2021/06/28 13:11 23m bisect fix linux-4.14.y job log (0) log
2021/05/29 12:45 26m bisect fix linux-4.14.y job log (0) log
2021/04/29 12:15 29m bisect fix linux-4.14.y job log (0) log
2021/03/30 11:52 22m bisect fix linux-4.14.y job log (0) log
2021/02/28 11:29 23m bisect fix linux-4.14.y job log (0) log
2021/01/29 11:03 25m bisect fix linux-4.14.y job log (0) log
2020/12/30 10:40 22m bisect fix linux-4.14.y job log (0) log
2020/11/30 10:05 29m bisect fix linux-4.14.y job log (0) log
2020/10/31 09:42 23m bisect fix linux-4.14.y job log (0) log
2020/10/01 09:16 25m bisect fix linux-4.14.y job log (0) log
2020/09/01 06:31 29m bisect fix linux-4.14.y job log (0) log
2020/08/02 05:18 24m bisect fix linux-4.14.y job log (0) log
2020/03/01 16:49 30m bisect fix linux-4.14.y job log (0) log

Sample crash report:
audit: type=1400 audit(1593753365.355:8): avc:  denied  { execmem } for  pid=6345 comm="syz-executor529" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.184-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor529/6345 is trying to acquire lock:
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff81a44af7>] do_io_accounting+0x1c7/0x760 fs/proc/base.c:2726

but task is already holding lock:
 (&p->lock){+.+.}, at: [<ffffffff8193189a>] seq_read+0xba/0x1130 fs/seq_file.c:165

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&p->lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xe8/0x1430 kernel/locking/mutex.c:893
       seq_read+0xba/0x1130 fs/seq_file.c:165
       proc_reg_read+0xf2/0x160 fs/proc/inode.c:217
       do_loop_readv_writev fs/read_write.c:695 [inline]
       do_loop_readv_writev fs/read_write.c:682 [inline]
       do_iter_read+0x3e3/0x5a0 fs/read_write.c:919
       vfs_readv+0xd3/0x130 fs/read_write.c:981
       kernel_readv fs/splice.c:361 [inline]
       default_file_splice_read+0x41d/0x870 fs/splice.c:416
       do_splice_to+0xfb/0x150 fs/splice.c:880
       splice_direct_to_actor+0x20a/0x730 fs/splice.c:952
       do_splice_direct+0x164/0x210 fs/splice.c:1061
       do_sendfile+0x469/0xaf0 fs/read_write.c:1441
       SYSC_sendfile64 fs/read_write.c:1502 [inline]
       SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #2 (sb_writers#3){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x1a1/0x2e0 fs/super.c:1363
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
       ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538
       lookup_open+0x756/0x1700 fs/namei.c:3241
       do_last fs/namei.c:3334 [inline]
       path_openat+0xddf/0x2aa0 fs/namei.c:3569
       do_filp_open+0x18e/0x250 fs/namei.c:3603
       do_sys_open+0x292/0x3e0 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&ovl_i_mutex_dir_key[depth]){++++}:
       down_read+0x37/0xa0 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:729 [inline]
       do_last fs/namei.c:3333 [inline]
       path_openat+0x148c/0x2aa0 fs/namei.c:3569
       do_filp_open+0x18e/0x250 fs/namei.c:3603
       do_open_execat+0xda/0x440 fs/exec.c:849
       do_execveat_common.isra.0+0x680/0x1c50 fs/exec.c:1742
       do_execve fs/exec.c:1847 [inline]
       SYSC_execve fs/exec.c:1928 [inline]
       SyS_execve+0x34/0x40 fs/exec.c:1923
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&sig->cred_guard_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xe8/0x1430 kernel/locking/mutex.c:893
       do_io_accounting+0x1c7/0x760 fs/proc/base.c:2726
       proc_single_show+0xe7/0x150 fs/proc/base.c:761
       seq_read+0x4d2/0x1130 fs/seq_file.c:237
       do_loop_readv_writev fs/read_write.c:695 [inline]
       do_loop_readv_writev fs/read_write.c:682 [inline]
       do_iter_read+0x3e3/0x5a0 fs/read_write.c:919
       vfs_readv+0xd3/0x130 fs/read_write.c:981
       do_preadv+0x161/0x200 fs/read_write.c:1065
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&p->lock);
                               lock(sb_writers#3);
                               lock(&p->lock);
  lock(&sig->cred_guard_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor529/6345:
 #0:  (&p->lock){+.+.}, at: [<ffffffff8193189a>] seq_read+0xba/0x1130 fs/seq_file.c:165

stack backtrace:
CPU: 0 PID: 6345 Comm: syz-executor529 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x3057/0x42a0 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xe8/0x1430 kernel/locking/mutex.c:893
 do_io_accounting+0x1c7/0x760 fs/proc/base.c:2726
 proc_single_show+0xe7/0x150 fs/proc/base.c:761
 seq_read+0x4d2/0x1130 fs/seq_file.c:237
 do_loop_readv_writev fs/read_write.c:695 [inline]
 do_loop_readv_writev fs/read_write.c:682 [inline]
 do_iter_read+0x3e3/0x5a0 fs/read_write.c:919
 vfs_readv+0xd3/0x130 fs/read_write.c:981
 do_preadv+0x161/0x200 fs/read_write.c:1065
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x440539
RSP: 002b:00007fffc15cd428 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440539
RDX: 00000000000003da RSI: 00000000200017c0 RDI: 0000000000000006
RBP: 00000000006cb018 R08: 0000000000

Crashes (56):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/03 05:18 linux-4.14.y b850307b279c f30c14bf .config console log report syz C ci2-linux-4-14
2019/12/27 02:29 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config console log report syz C ci2-linux-4-14
2019/06/24 02:03 linux-4.14.y a5758c531177 472f0082 .config console log report syz C ci2-linux-4-14
2020/06/22 00:19 linux-4.14.y b850307b279c 4f2acff9 .config console log report ci2-linux-4-14
2020/06/07 04:54 linux-4.14.y c6db52a88798 e6b89e4e .config console log report ci2-linux-4-14
2020/05/22 12:36 linux-4.14.y a41ba30d9df2 4afdfa20 .config console log report ci2-linux-4-14
2020/05/04 05:00 linux-4.14.y 773e2b1cd56a 58ae5e18 .config console log report ci2-linux-4-14
2020/04/29 03:05 linux-4.14.y 050272a0423e e3ecea2e .config console log report ci2-linux-4-14
2020/04/27 19:49 linux-4.14.y 050272a0423e 0ce7569e .config console log report ci2-linux-4-14
2020/04/27 02:58 linux-4.14.y 050272a0423e 0ce7569e .config console log report ci2-linux-4-14
2020/04/17 06:03 linux-4.14.y c10b57a567e4 c743fcb3 .config console log report ci2-linux-4-14
2020/04/15 14:03 linux-4.14.y c10b57a567e4 3f3c5574 .config console log report ci2-linux-4-14
2020/04/14 09:24 linux-4.14.y c10b57a567e4 7c54686a .config console log report ci2-linux-4-14
2020/04/11 03:02 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/10 22:10 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/10 15:02 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/10 03:02 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/10 01:41 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/03 10:36 linux-4.14.y 4520f06b03ae 5ed396e6 .config console log report ci2-linux-4-14
2020/04/02 06:08 linux-4.14.y 01364dad1d45 a34e2c33 .config console log report ci2-linux-4-14
2020/03/30 04:56 linux-4.14.y 01364dad1d45 05736b29 .config console log report ci2-linux-4-14
2020/03/23 10:47 linux-4.14.y 01364dad1d45 78267cec .config console log report ci2-linux-4-14
2020/03/17 18:01 linux-4.14.y 12cd844a39ed 749688d2 .config console log report ci2-linux-4-14
2020/03/11 23:42 linux-4.14.y 12cd844a39ed d850e9d0 .config console log report ci2-linux-4-14
2020/03/11 07:37 linux-4.14.y 78d697fc93f9 35f53e45 .config console log report ci2-linux-4-14
2020/03/11 04:43 linux-4.14.y 78d697fc93f9 35f53e45 .config console log report ci2-linux-4-14
2020/01/31 16:28 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/27 15:09 linux-4.14.y 9a95f25269bd 56cd6c9b .config console log report ci2-linux-4-14
2020/01/25 20:15 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 12:59 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 12:21 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 11:56 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 10:46 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 09:28 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 09:05 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 07:50 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 02:08 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/25 00:47 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/24 17:46 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/23 22:04 linux-4.14.y 8bac50406cca 11ebf937 .config console log report ci2-linux-4-14
2020/01/23 06:08 linux-4.14.y c1141b3aab36 3334d684 .config console log report ci2-linux-4-14
2020/01/22 08:44 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/22 00:48 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/22 00:21 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 23:14 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 21:05 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 15:40 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 07:50 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/20 10:39 linux-4.14.y c1141b3aab36 c40da18c .config console log report ci2-linux-4-14
2020/01/18 10:20 linux-4.14.y c1141b3aab36 3de7aabb .config console log report ci2-linux-4-14
2020/01/18 07:41 linux-4.14.y c1141b3aab36 3de7aabb .config console log report ci2-linux-4-14
2019/12/28 02:15 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config console log report ci2-linux-4-14
2019/12/24 13:13 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config console log report ci2-linux-4-14
2019/12/11 13:45 linux-4.14.y a844dc4c5442 101194eb .config console log report ci2-linux-4-14
2019/10/25 07:37 linux-4.14.y b98aebd29824 d01bb02a .config console log report ci2-linux-4-14
2019/10/20 11:14 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.