syzbot


possible deadlock in __might_fault

Status: fixed on 2018/03/23 18:14
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Fix commit: 740a5759bf22 staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
First crash: 1584d, last: 1565d
similar bugs (7):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in __might_fault C done 385 921d 1172d 1/1 fixed on 2020/01/18 20:51
linux-4.14 possible deadlock in __might_fault C done 295 930d 1171d 1/1 fixed on 2020/01/09 09:47
android-44 possible deadlock in __might_fault C 6745 1554d 1581d 2/2 fixed on 2018/04/24 18:02
android-49 possible deadlock in __might_fault C 10264 1560d 1581d 3/3 fixed on 2018/04/24 17:23
android-414 possible deadlock in __might_fault 136 943d 1171d 0/1 auto-closed as invalid on 2020/03/25 09:38
upstream possible deadlock in __might_fault (3) C 10722 925d 1396d 0/22 closed as dup on 2018/09/16 01:51
upstream possible deadlock in __might_fault (2) C 20 1518d 1521d 9/22 fixed on 2018/07/09 18:05

Sample crash report:
audit: type=1400 audit(1520889706.124:7): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/root/syzkaller630279704" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

audit: type=1400 audit(1520889706.124:8): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/dev/ashmem" dev="devtmpfs" ino=1139 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.16.0-rc5+ #351 Not tainted
------------------------------------------------------
syzkaller630279/4128 is trying to acquire lock:
 (&mm->mmap_sem){++++}, at: [<000000001d32bb58>] __might_fault+0xe0/0x1d0 mm/memory.c:4570

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362
       call_mmap include/linux/fs.h:1786 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1705
       do_mmap+0x6c0/0xe00 mm/mmap.c:1483
       do_mmap_pgoff include/linux/mm.h:2223 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:355
       SYSC_mmap_pgoff mm/mmap.c:1533 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&mm->mmap_sem){++++}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
       __might_fault+0x13a/0x1d0 mm/memory.c:4571
       _copy_from_user+0x2c/0x110 lib/usercopy.c:10
       copy_from_user include/linux/uaccess.h:147 [inline]
       ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
       ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syzkaller630279/4128:
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

stack backtrace:
CPU: 1 PID: 4128 Comm: syzkaller630279 Not tainted 4.16.0-rc5+ #351
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
 __might_fault+0x13a/0x1d0 mm/memory.c:4571
 _copy_from_user+0x2c/0x110 lib/usercopy.c:10
 copy_from_user include/linux/uaccess.h:147 [inline]
 ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
 ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd19
RSP: 002b:00007ffdf4578d98 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19
RDX: 0000000000000000 RSI: 0000000000007709 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 000000000000000

Crashes (8978):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2018/03/12 21:24 upstream 0c8efd610b58 f505ca4b .config log report syz C
ci-upstream-kasan-gce 2018/03/10 06:16 upstream 719ea86151f3 36d1c454 .config log report syz C
ci-upstream-kasan-gce 2018/03/08 08:19 upstream 851710a80961 d50edb7e .config log report syz C
ci-upstream-kasan-gce 2018/03/06 12:44 upstream 094b58e1040a aef0b792 .config log report syz C
ci-upstream-kasan-gce 2018/03/01 22:54 upstream 8da5db7ddae1 2c6f473e .config log report syz C
ci-upstream-kasan-gce 2018/02/26 10:38 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce 2018/02/26 09:55 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce 2018/02/26 09:41 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce-386 2018/02/26 10:20 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce-386 2018/02/26 09:55 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce-386 2018/02/26 09:41 upstream c89be5242607 9fe8aa42 .config log report syz C
ci-upstream-kasan-gce-386 2018/02/23 09:55 upstream 0f9da844d877 8d8e2494 .config log report syz C
ci-upstream-kasan-gce-386 2018/03/12 21:24 upstream 0c8efd610b58 f505ca4b .config log report syz
ci-upstream-kasan-gce-386 2018/03/10 06:45 upstream 719ea86151f3 36d1c454 .config log report syz
ci-upstream-kasan-gce-386 2018/03/08 08:25 upstream 851710a80961 d50edb7e .config log report syz
ci-upstream-kasan-gce-386 2018/03/06 12:46 upstream 094b58e1040a aef0b792 .config log report syz
ci-upstream-kasan-gce-386 2018/03/05 07:47 upstream e64b9562ba28 2c6f473e .config log report syz
ci-upstream-kasan-gce-386 2018/03/03 11:34 upstream 0573fed92b67 2c6f473e .config log report syz
ci-upstream-kasan-gce-386 2018/03/01 22:53 upstream 8da5db7ddae1 2c6f473e .config log report syz
ci-upstream-kasan-gce 2018/03/13 13:18 upstream fc6eabbbf8ef 08dacaa0 .config log report
ci-upstream-kasan-gce 2018/03/13 01:19 upstream fc6eabbbf8ef f505ca4b .config log report
ci-upstream-kasan-gce 2018/03/11 08:33 upstream 3266b5bd97ea 36d1c454 .config log report
ci-upstream-kasan-gce 2018/03/11 00:58 upstream 3266b5bd97ea 36d1c454 .config log report
ci-upstream-kasan-gce 2018/03/09 23:36 upstream 719ea86151f3 36d1c454 .config log report
ci-upstream-kasan-gce 2018/03/08 16:38 upstream 1b88accf6a65 acd0caa5 .config log report
ci-upstream-kasan-gce 2018/03/08 13:12 upstream 1b88accf6a65 acd0caa5 .config log report
ci-upstream-kasan-gce 2018/03/08 06:28 upstream 851710a80961 d50edb7e .config log report
ci-upstream-kasan-gce 2018/03/06 19:36 upstream ce380619fab9 c8a18476 .config log report
ci-upstream-kasan-gce 2018/03/05 16:18 upstream 661e50bc8532 bbd5104f .config log report
ci-upstream-kasan-gce 2018/03/05 14:49 upstream 661e50bc8532 bbd5104f .config log report
ci-upstream-kasan-gce 2018/03/05 13:08 upstream 661e50bc8532 bbd5104f .config log report
ci-upstream-kasan-gce 2018/03/02 16:56 upstream 5d60e057d127 2c6f473e .config log report
ci-upstream-kasan-gce 2018/03/02 12:32 upstream 5d60e057d127 2c6f473e .config log report
ci-upstream-kasan-gce 2018/03/02 00:30 upstream 8da5db7ddae1 2c6f473e .config log report
ci-upstream-kasan-gce 2018/02/27 18:33 upstream 6f70eb2b00eb 05b5a32c .config log report
ci-upstream-kasan-gce 2018/02/25 23:11 upstream 3664ce2d9309 9fe8aa42 .config log report
ci-upstream-kasan-gce 2018/02/25 21:56 upstream 3664ce2d9309 9fe8aa42 .config log report
ci-upstream-kasan-gce 2018/02/25 14:36 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:32 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:29 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:29 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:25 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:24 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:16 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:13 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:12 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:05 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:05 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 14:03 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 13:52 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce 2018/02/25 13:48 upstream 3664ce2d9309 5c1e0207 .config log report
ci-upstream-kasan-gce-386 2018/03/13 14:42 upstream fc6eabbbf8ef 08dacaa0 .config log report
ci-upstream-kasan-gce-386 2018/03/11 05:50 upstream 3266b5bd97ea 36d1c454 .config log report
ci-upstream-kasan-gce-386 2018/03/10 23:10 upstream 3266b5bd97ea 36d1c454 .config log report
ci-upstream-kasan-gce-386 2018/03/10 20:21 upstream cdb06e9d8f52 36d1c454 .config log report
ci-upstream-kasan-gce-386 2018/03/10 18:47 upstream cdb06e9d8f52 36d1c454 .config log report
ci-upstream-kasan-gce-386 2018/03/10 08:54 upstream cdb06e9d8f52 36d1c454 .config log report
ci-upstream-kasan-gce-386 2018/03/07 09:15 upstream 86f84779d8e9 c8a18476 .config log report
ci-upstream-kasan-gce-386 2018/03/06 03:03 upstream 094b58e1040a aef0b792 .config log report
ci-upstream-kasan-gce-386 2018/03/02 06:50 upstream 8da5db7ddae1 2c6f473e .config log report
ci-upstream-kasan-gce-386 2018/02/28 05:17 upstream f3afe530d644 05b5a32c .config log report
ci-upstream-kasan-gce-386 2018/02/28 02:13 upstream f3afe530d644 05b5a32c .config log report
ci-upstream-kasan-gce-386 2018/02/23 09:33 upstream 0f9da844d877 8d8e2494 .config log report