syzbot


possible deadlock in mon_bin_vma_fault

Status: fixed on 2020/02/14 01:19
Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com
Fix commit: 19e6317d24c2 usb: mon: Fix a deadlock in usbmon between mmap and read
First crash: 1398d, last: 928d

Cause bisection: introduced by (bisect log) :
commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b
Author: Pete Zaitcev <zaitcev@redhat.com>
Date: Mon Jan 8 21:46:41 2018 +0000

  USB: fix usbmon BUG trigger

Crash: possible deadlock in __might_fault (log)
Repro: C syz .config
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
possible deadlock in __might_fault (3) C 10722 927d 1398d 0/22 closed as dup on 2018/09/16 01:51
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 possible deadlock in mon_bin_vma_fault C done 282 934d 1169d 1/1 fixed on 2020/01/07 21:27
linux-4.19 possible deadlock in mon_bin_vma_fault C done 375 926d 1175d 1/1 fixed on 2020/01/15 15:23
Patch testing requests:
Created Duration User Patch Repo Result
2019/11/24 20:55 16m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.3 OK
2019/11/24 15:59 0m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.3 error

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
5.4.0-rc3+ #0 Not tainted
------------------------------------------------------
syz-executor400/9226 is trying to acquire lock:
ffff888099c22d00 (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237

but task is already holding lock:
ffff8880a81fd5d8 (&mm->mmap_sem#2){++++}, at: __mm_populate+0x270/0x380 mm/gup.c:1251

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&mm->mmap_sem#2){++++}:
       __might_fault mm/memory.c:4450 [inline]
       __might_fault+0x15e/0x1e0 mm/memory.c:4435
       _copy_to_user+0x30/0x160 lib/usercopy.c:26
       copy_to_user include/linux/uaccess.h:152 [inline]
       mon_bin_read+0x329/0x640 drivers/usb/mon/mon_bin.c:825
       __vfs_read+0x8a/0x110 fs/read_write.c:425
       vfs_read+0x1f0/0x440 fs/read_write.c:461
       ksys_read+0x14f/0x290 fs/read_write.c:587
       __do_sys_read fs/read_write.c:597 [inline]
       __se_sys_read fs/read_write.c:595 [inline]
       __x64_sys_read+0x73/0xb0 fs/read_write.c:595
       do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&rp->fetch_lock){+.+.}:
       check_prev_add kernel/locking/lockdep.c:2476 [inline]
       check_prevs_add kernel/locking/lockdep.c:2581 [inline]
       validate_chain kernel/locking/lockdep.c:2971 [inline]
       __lock_acquire+0x2596/0x4a00 kernel/locking/lockdep.c:3955
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4487
       __mutex_lock_common kernel/locking/mutex.c:956 [inline]
       __mutex_lock+0x156/0x13c0 kernel/locking/mutex.c:1103
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118
       mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
       __do_fault+0x111/0x540 mm/memory.c:3092
       do_read_fault mm/memory.c:3489 [inline]
       do_fault mm/memory.c:3618 [inline]
       handle_pte_fault mm/memory.c:3849 [inline]
       __handle_mm_fault+0x2dd0/0x4040 mm/memory.c:3973
       handle_mm_fault+0x3b7/0xaa0 mm/memory.c:4010
       faultin_page mm/gup.c:640 [inline]
       __get_user_pages+0x7d4/0x1b30 mm/gup.c:845
       populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1223
       __mm_populate+0x204/0x380 mm/gup.c:1271
       mm_populate include/linux/mm.h:2362 [inline]
       vm_mmap_pgoff+0x213/0x230 mm/util.c:501
       ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1629
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
       __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_sem#2);
                               lock(&rp->fetch_lock);
                               lock(&mm->mmap_sem#2);
  lock(&rp->fetch_lock);

 *** DEADLOCK ***

1 lock held by syz-executor400/9226:
 #0: ffff8880a81fd5d8 (&mm->mmap_sem#2){++++}, at: __mm_populate+0x270/0x380 mm/gup.c:1251

stack backtrace:
CPU: 1 PID: 9226 Comm: syz-executor400 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_circular_bug.isra.0.cold+0x163/0x172 kernel/locking/lockdep.c:1685
 check_noncircular+0x32e/0x3e0 kernel/locking/lockdep.c:1809
 check_prev_add kernel/locking/lockdep.c:2476 [inline]
 check_prevs_add kernel/locking/lockdep.c:2581 [inline]
 validate_chain kernel/locking/lockdep.c:2971 [inline]
 __lock_acquire+0x2596/0x4a00 kernel/locking/lockdep.c:3955
 lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4487
 __mutex_lock_common kernel/locking/mutex.c:956 [inline]
 __mutex_lock+0x156/0x13c0 kernel/locking/mutex.c:1103
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118
 mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
 __do_fault+0x111/0x540 mm/memory.c:3092
 do_read_fault mm/memory.c:3489 [inline]
 do_fault mm/memory.c:3618 [inline]
 handle_pte_fault mm/memory.c:3849 [inline]
 __handle_mm_fault+0x2dd0/0x4040 mm/memory.c:3973
 handle_mm_fault+0x3b7/0xaa0 mm/memory.c:4010
 faultin_page mm/gup.c:640 [inline]
 __get_user_pages+0x7d4/0x1b30 mm/gup.c:845
 populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1223
 __mm_populate+0x204/0x380 mm/gup.c:1271
 mm_populate include/linux/mm.h:2362 [inline]
 vm_mmap_pgoff+0x213/0x230 mm/util.c:501
 ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1629
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44a689
Code: e8 8c b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fcce0445cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a689
RDX: 0000000002000001 RSI: 0000000002000000 RDI: 0000000020ffd000
RBP: 00000000006dbc30 R08: 0000000000000005 R09: 0000000000000000
R10: 03eb6b06d1207692 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007ffe7f6a81af R14: 00007fcce04469c0 R15: 20c49ba5e353f7cf

Crashes (11427):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/10/20 10:49 upstream 531e93d11470 8c88c9c1 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/10/19 12:42 upstream b9959c7a347d 8c88c9c1 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/10/18 19:23 upstream 0e2adab6cf28 8c88c9c1 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/10/15 14:48 upstream 5bc52f64e884 b5268b89 .config log report syz C
ci-upstream-kasan-gce-root 2019/10/14 23:51 upstream 4f5cafb5cb84 05ad7292 .config log report syz C
ci-upstream-kasan-gce-root 2019/10/14 09:16 upstream d4615e5a4680 2f661ec4 .config log report syz C
ci-upstream-kasan-gce-root 2019/10/13 17:55 upstream da94001239cc 2f661ec4 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/10/13 16:01 upstream da94001239cc 2f661ec4 .config log report syz C
ci-upstream-kasan-gce 2019/10/06 01:58 upstream b145b0eb2031 f3f7d9c8 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/07/03 14:45 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce 2019/07/03 14:43 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce-root 2019/07/03 14:40 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/07/03 14:37 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/04/19 04:44 upstream 6d906f998179 b0e8efcb .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/04/19 04:44 upstream 6d906f998179 b0e8efcb .config log report syz C
ci-upstream-kasan-gce-root 2019/03/10 17:05 upstream 6cdc577a18a6 12365b99 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/03/10 16:46 upstream 6cdc577a18a6 12365b99 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/03/10 15:34 upstream 6cdc577a18a6 12365b99 .config log report syz C
ci-upstream-kasan-gce 2019/03/10 15:00 upstream 6cdc577a18a6 12365b99 .config log report syz C
ci-upstream-kasan-gce-root 2018/09/01 09:29 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce-root 2018/09/01 07:51 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce-root 2018/09/01 05:24 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce 2018/09/01 02:50 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce 2018/08/31 23:23 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce-root 2018/08/31 21:17 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce 2018/08/31 01:49 upstream 58c3f14f86c9 938220fd .config log report syz C
ci-upstream-kasan-gce-386 2019/07/03 14:43 upstream eca94432934f 55565fa0 .config log report syz C
ci-upstream-kasan-gce-386 2019/03/10 15:18 upstream 6cdc577a18a6 12365b99 .config log report syz C
ci-upstream-kasan-gce-386 2018/09/01 03:09 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-kasan-gce-386 2018/09/01 01:45 upstream 420f51f4ab6b a4718693 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/10/18 13:26 linux-next c4b9850b3676 8c88c9c1 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/10/18 02:59 linux-next 3ef845da3c3b 8c88c9c1 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/10/17 08:35 linux-next 3ef845da3c3b 8c88c9c1 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/07/09 02:59 linux-next d58b5ab90ee7 f62e1e85 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/03/12 02:30 linux-next cf08baa29613 12365b99 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/09/01 15:49 linux-next a880148cb2af a4718693 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/09/01 14:18 linux-next a880148cb2af a4718693 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/08/31 23:41 linux-next a880148cb2af a4718693 .config log report syz C
ci-upstream-kasan-gce-root 2019/04/19 05:46 upstream 6d906f998179 b0e8efcb .config log report syz
ci-upstream-kasan-gce 2019/04/19 04:43 upstream 6d906f998179 b0e8efcb .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/04/19 04:43 linux-next 3f018f4a019a b0e8efcb .config log report syz
ci-upstream-kasan-gce-selinux-root 2019/12/14 09:09 upstream e31736d9fae8 eef6e580 .config log report
ci-upstream-kasan-gce 2019/12/11 05:03 upstream 6794862a16ef 101194eb .config log report
ci-upstream-kasan-gce-root 2019/12/10 15:20 upstream 6794862a16ef 5a5826a1 .config log report
ci-upstream-kasan-gce-root 2019/12/10 02:32 upstream 6794862a16ef 4b83c8fb .config log report
ci-upstream-kasan-gce-root 2019/12/09 12:58 upstream e42617b825f8 b31eda3d .config log report
ci-upstream-kasan-gce 2019/12/09 08:51 upstream e42617b825f8 1508f453 .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/08 14:56 upstream 9455d25f4e3b 1508f453 .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/07 11:34 upstream eea2d5da29e3 85f26751 .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/06 22:06 upstream 7ada90eb9c7a 85f26751 .config log report
ci-upstream-kasan-gce-root 2019/12/06 04:11 upstream b0d4beaa5a4b 98b4ef2d .config log report
ci-upstream-kasan-gce-root 2019/12/06 02:41 upstream b0d4beaa5a4b 98b4ef2d .config log report
ci-upstream-kasan-gce-root 2019/12/05 06:24 upstream aedc0650f913 b2088328 .config log report
ci-upstream-kasan-gce-root 2019/12/04 15:42 upstream 63de37476ebd b2088328 .config log report
ci-upstream-kasan-gce 2019/12/04 14:02 upstream 63de37476ebd b2088328 .config log report
ci-upstream-kasan-gce-root 2019/12/04 09:02 upstream 63de37476ebd 0ecb9746 .config log report
ci-upstream-kasan-gce-root 2019/12/03 18:22 upstream 76bb8b05960c ae13a849 .config log report
ci-upstream-kasan-gce-root 2019/12/02 06:12 upstream ceb307474506 f879db37 .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/02 00:41 upstream b94ae8ad9fe7 f879db37 .config log report
ci-upstream-kasan-gce-root 2019/12/01 23:35 upstream b94ae8ad9fe7 f879db37 .config log report
ci-upstream-kasan-gce 2019/12/01 20:40 upstream b94ae8ad9fe7 a76bf83f .config log report
ci-upstream-kasan-gce 2019/12/01 14:40 upstream b94ae8ad9fe7 a76bf83f .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/01 00:03 upstream 32ef9553635a a76bf83f .config log report
ci-upstream-kasan-gce-root 2019/11/30 01:52 upstream 81b6b96475ac 3a75be00 .config log report
ci-upstream-kasan-gce-selinux-root 2019/11/29 13:39 upstream 81b6b96475ac d29b9e84 .config log report
ci-upstream-kasan-gce-smack-root 2019/11/28 21:55 upstream a6ed68d6468b 46869e3e .config log report
ci-upstream-kasan-gce-root 2019/11/27 22:32 upstream d76886972823 0d63f89c .config log report
ci-upstream-kasan-gce-smack-root 2019/11/27 21:08 upstream d76886972823 0d63f89c .config log report
ci-upstream-kasan-gce 2019/11/27 07:45 upstream 89d57dddd7d3 1048481f .config log report
ci-upstream-kasan-gce 2019/11/26 19:20 upstream be2eca94d144 1048481f .config log report
ci-upstream-kasan-gce 2018/08/30 20:58 upstream 58c3f14f86c9 938220fd .config log report
ci-upstream-kasan-gce-386 2019/12/10 04:39 upstream 6794862a16ef 4b83c8fb .config log report
ci-upstream-kasan-gce-386 2019/12/10 02:37 upstream 6794862a16ef 4b83c8fb .config log report
ci-upstream-kasan-gce-386 2019/12/07 23:06 upstream ad910e36da4c 1508f453 .config log report
ci-upstream-kasan-gce-386 2019/12/04 10:21 upstream 63de37476ebd 0ecb9746 .config log report
ci-upstream-kasan-gce-386 2019/11/29 01:23 upstream 81b6b96475ac 76357d6f .config log report
ci-upstream-kasan-gce-386 2019/11/28 01:09 upstream d76886972823 0d63f89c .config log report
ci-upstream-kasan-gce-386 2019/11/27 16:15 upstream 89d57dddd7d3 0d63f89c .config log report
ci-upstream-kasan-gce-386 2019/11/27 09:10 upstream 89d57dddd7d3 1048481f .config log report
ci-upstream-kasan-gce-386 2019/11/26 19:36 upstream be2eca94d144 1048481f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/08 18:36 linux-next c34be716fb37 1508f453 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/07 12:44 linux-next 558c2bf52f61 85f26751 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/06 08:19 linux-next 838333c80c4f 98b4ef2d .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/05 14:24 linux-next 282ffdf30a3e 4fb74474 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/05 07:51 linux-next 282ffdf30a3e b2088328 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/01 00:41 linux-next 419593dad843 a76bf83f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/29 08:16 linux-next 419593dad843 76357d6f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/29 07:08 linux-next 419593dad843 76357d6f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/28 12:25 linux-next d26b0e226f22 46869e3e .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/28 12:11 linux-next d26b0e226f22 46869e3e .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/27 18:02 linux-next 1875ff320f14 0d63f89c .config log report
ci-upstream-linux-next-kasan-gce-root 2019/11/27 13:56 linux-next 1875ff320f14 5a38f3f0 .config log report