syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

inconsistent lock state in shmem_fallocate

Status: public: reported C repro on 2019/04/13 00:00
Reported-by: syzbot+5c9710eb563be3a65db0@syzkaller.appspotmail.com
First crash: 1930d, last: 1611d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 inconsistent lock state in shmem_fallocate C 28 1601d 1833d 0/3 public: reported C repro on 2019/04/14 00:00

Sample crash report:
=================================
[ INFO: inconsistent lock state ]
4.4.169+ #2 Not tainted
---------------------------------
inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage.
kswapd0/28 [HC0[0]:SC0[0]:HE1:SE1] takes:
 (&sb->s_type->i_mutex_key#10){+.+.?.}, at: [<ffffffff8140445b>] shmem_fallocate+0x13b/0x9c0 mm/shmem.c:2078
{RECLAIM_FS-ON-W} state was registered at:
  [<ffffffff811fedc1>] mark_held_locks+0xb1/0x100 kernel/locking/lockdep.c:2536
  [<ffffffff8120759c>] __lockdep_trace_alloc kernel/locking/lockdep.c:2758 [inline]
  [<ffffffff8120759c>] lockdep_trace_alloc+0x18c/0x2b0 kernel/locking/lockdep.c:2773
  [<ffffffff813d004a>] __alloc_pages_nodemask+0x13a/0x14b0 mm/page_alloc.c:3266
  [<ffffffff81401b33>] __alloc_pages include/linux/gfp.h:415 [inline]
  [<ffffffff81401b33>] __alloc_pages_node include/linux/gfp.h:428 [inline]
  [<ffffffff81401b33>] alloc_pages_node include/linux/gfp.h:442 [inline]
  [<ffffffff81401b33>] shmem_alloc_page mm/shmem.c:953 [inline]
  [<ffffffff81401b33>] shmem_getpage_gfp+0x6a3/0x1120 mm/shmem.c:1191
  [<ffffffff8140269b>] shmem_getpage mm/shmem.c:130 [inline]
  [<ffffffff8140269b>] shmem_write_begin+0xeb/0x190 mm/shmem.c:1509
  [<ffffffff813b92a1>] generic_perform_write+0x281/0x540 mm/filemap.c:2591
  [<ffffffff813bcec0>] __generic_file_write_iter+0x350/0x540 mm/filemap.c:2716
  [<ffffffff813bd45a>] generic_file_write_iter+0x3aa/0x740 mm/filemap.c:2744
  [<ffffffff814964b8>] new_sync_write fs/read_write.c:478 [inline]
  [<ffffffff814964b8>] __vfs_write+0x2e8/0x3d0 fs/read_write.c:491
  [<ffffffff81497fe2>] vfs_write+0x182/0x4e0 fs/read_write.c:538
  [<ffffffff8149a61c>] SYSC_write fs/read_write.c:585 [inline]
  [<ffffffff8149a61c>] SyS_write+0xdc/0x1c0 fs/read_write.c:577
  [<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
irq event stamp: 41
hardirqs last  enabled at (41): [<ffffffff827088cd>] __mutex_trylock_slowpath kernel/locking/mutex.c:885 [inline]
hardirqs last  enabled at (41): [<ffffffff827088cd>] mutex_trylock+0x28d/0x500 kernel/locking/mutex.c:908
hardirqs last disabled at (40): [<ffffffff827086ef>] __mutex_trylock_slowpath kernel/locking/mutex.c:873 [inline]
hardirqs last disabled at (40): [<ffffffff827086ef>] mutex_trylock+0xaf/0x500 kernel/locking/mutex.c:908
softirqs last  enabled at (0): [<ffffffff810cbe1b>] copy_process+0x127b/0x68c0 kernel/fork.c:1468
softirqs last disabled at (0): [<          (null)>]           (null)

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&sb->s_type->i_mutex_key#10);
  <Interrupt>
    lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

2 locks held by kswapd0/28:
 #0:  (shrinker_rwsem){++++..}, at: [<ffffffff813ee0b2>] shrink_slab.part.0+0xb2/0xb30 mm/vmscan.c:431
 #1:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82118166>] ashmem_shrink_scan+0x56/0x4c0 drivers/staging/android/ashmem.c:442

stack backtrace:
CPU: 1 PID: 28 Comm: kswapd0 Not tainted 4.4.169+ #2
 0000000000000000 218b77c28ac0b8db ffff8800bb657290 ffffffff81aab9c1
 00000000000000f0 ffff8800001f5f00 ffffffff83abd980 ffffffff84055ac0
 ffff8800001f6838 ffff8800bb657308 ffffffff813ad270 0000000000000000
Call Trace:
 [<ffffffff81aab9c1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aab9c1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff813ad270>] print_usage_bug.cold+0x454/0x592 kernel/locking/lockdep.c:2267
 [<ffffffff811fdfcd>] valid_state kernel/locking/lockdep.c:2280 [inline]
 [<ffffffff811fdfcd>] mark_lock_irq kernel/locking/lockdep.c:2478 [inline]
 [<ffffffff811fdfcd>] mark_lock+0x6fd/0x1440 kernel/locking/lockdep.c:2933
 [<ffffffff811ffde7>] mark_irqflags kernel/locking/lockdep.c:2834 [inline]
 [<ffffffff811ffde7>] __lock_acquire+0xa27/0x4f50 kernel/locking/lockdep.c:3169
 [<ffffffff81205d7e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff82708c01>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff82708c01>] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621
 [<ffffffff8140445b>] shmem_fallocate+0x13b/0x9c0 mm/shmem.c:2078
 [<ffffffff821182d3>] ashmem_shrink_scan drivers/staging/android/ashmem.c:449 [inline]
 [<ffffffff821182d3>] ashmem_shrink_scan+0x1c3/0x4c0 drivers/staging/android/ashmem.c:433
 [<ffffffff813ee402>] do_shrink_slab mm/vmscan.c:357 [inline]
 [<ffffffff813ee402>] shrink_slab.part.0+0x402/0xb30 mm/vmscan.c:455
 [<ffffffff813f6f4c>] shrink_slab mm/vmscan.c:425 [inline]
 [<ffffffff813f6f4c>] shrink_zone+0x4bc/0x610 mm/vmscan.c:2448
 [<ffffffff813f8daf>] kswapd_shrink_zone mm/vmscan.c:3123 [inline]
 [<ffffffff813f8daf>] balance_pgdat mm/vmscan.c:3298 [inline]
 [<ffffffff813f8daf>] kswapd+0xaaf/0x1c60 mm/vmscan.c:3506
 [<ffffffff811340d3>] kthread+0x273/0x310 kernel/kthread.c:211
 [<ffffffff827157c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
lowmemorykiller: Killing 'restorecond' (2001) (tgid 2001), adj 0,
   to free 4908kB on behalf of 'kswapd0' (28) because
   cache 3912kB is below limit 6144kB for oom_score_adj 0
   Free memory is -5312kB above reserved
lowmemorykiller: Killing 'dhclient' (1787) (tgid 1787), adj 0,
   to free 2292kB on behalf of 'kswapd0' (28) because

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/06 05:00 https://android.googlesource.com/kernel/common android-4.4 d08574b6f0ae 53be0a37 .config console log report syz C ci-android-44-kasan-gce
2019/01/06 05:46 https://android.googlesource.com/kernel/common android-4.4 d08574b6f0ae 53be0a37 .config console log report syz ci-android-44-kasan-gce-386
2019/11/11 21:36 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 048f2d49 .config console log report ci-android-44-kasan-gce
2019/10/30 03:48 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 5ea87a66 .config console log report ci-android-44-kasan-gce
2019/09/28 09:23 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d8074e0b .config console log report ci-android-44-kasan-gce
2019/09/06 02:37 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 040fda58 .config console log report ci-android-44-kasan-gce
2019/07/26 16:02 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 3e5d1beb .config console log report ci-android-44-kasan-gce
2019/11/22 00:15 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8098ea0f .config console log report ci-android-44-kasan-gce-386
2019/11/21 11:30 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8098ea0f .config console log report ci-android-44-kasan-gce-386
2019/11/16 21:25 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d5696d51 .config console log report ci-android-44-kasan-gce-386
2019/09/22 01:57 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d96e88f3 .config console log report ci-android-44-kasan-gce-386
2019/09/10 02:07 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b a60cb4cd .config console log report ci-android-44-kasan-gce-386
2019/03/30 15:57 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b c35ee0ea .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.