possible deadlock in __might

possible deadlock in __might_fault
Status: fixed on 2018/03/23 18:14
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Fix commit: 740a5759bf22 staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
First crash: 1305d, last: 1286d

similar bugs (7):
Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	possible deadlock in __might_fault	C	done	385	642d	893d	1/1	fixed on 2020/01/18 20:51
linux-4.14	possible deadlock in __might_fault	C	done	295	651d	892d	1/1	fixed on 2020/01/09 09:47
android-44	possible deadlock in __might_fault	C		6745	1275d	1302d	2/2	fixed on 2018/04/24 18:02
android-49	possible deadlock in __might_fault	C		10264	1281d	1302d	3/3	fixed on 2018/04/24 17:23
android-414	possible deadlock in __might_fault			136	664d	892d	0/1	auto-closed as invalid on 2020/03/25 09:38
upstream	possible deadlock in __might_fault (3)	C		10722	646d	1117d	0/22	closed as dup on 2018/09/16 01:51
upstream	possible deadlock in __might_fault (2)	C		20	1239d	1242d	9/22	fixed on 2018/07/09 18:05

Sample crash report:

audit: type=1400 audit(1520889706.124:7): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/root/syzkaller630279704" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

audit: type=1400 audit(1520889706.124:8): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/dev/ashmem" dev="devtmpfs" ino=1139 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.16.0-rc5+ #351 Not tainted
------------------------------------------------------
syzkaller630279/4128 is trying to acquire lock:
 (&mm->mmap_sem){++++}, at: [<000000001d32bb58>] __might_fault+0xe0/0x1d0 mm/memory.c:4570

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362
       call_mmap include/linux/fs.h:1786 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1705
       do_mmap+0x6c0/0xe00 mm/mmap.c:1483
       do_mmap_pgoff include/linux/mm.h:2223 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:355
       SYSC_mmap_pgoff mm/mmap.c:1533 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&mm->mmap_sem){++++}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
       __might_fault+0x13a/0x1d0 mm/memory.c:4571
       _copy_from_user+0x2c/0x110 lib/usercopy.c:10
       copy_from_user include/linux/uaccess.h:147 [inline]
       ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
       ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syzkaller630279/4128:
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

stack backtrace:
CPU: 1 PID: 4128 Comm: syzkaller630279 Not tainted 4.16.0-rc5+ #351
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
 __might_fault+0x13a/0x1d0 mm/memory.c:4571
 _copy_from_user+0x2c/0x110 lib/usercopy.c:10
 copy_from_user include/linux/uaccess.h:147 [inline]
 ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
 ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd19
RSP: 002b:00007ffdf4578d98 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19
RDX: 0000000000000000 RSI: 0000000000007709 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 000000000000000

Crashes (8978):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2018/03/12 21:24	upstream	0c8efd610b58	f505ca4b	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/03/10 06:16	upstream	719ea86151f3	36d1c454	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/03/08 08:19	upstream	851710a80961	d50edb7e	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/03/06 12:44	upstream	094b58e1040a	aef0b792	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/03/01 22:54	upstream	8da5db7ddae1	2c6f473e	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/02/26 10:38	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/02/26 09:55	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce	2018/02/26 09:41	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2018/02/26 10:20	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2018/02/26 09:55	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2018/02/26 09:41	upstream	c89be5242607	9fe8aa42	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2018/02/23 09:55	upstream	0f9da844d877	8d8e2494	.config	log	report	syz	C
ci-upstream-kasan-gce-386	2018/03/12 21:24	upstream	0c8efd610b58	f505ca4b	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/10 06:45	upstream	719ea86151f3	36d1c454	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/08 08:25	upstream	851710a80961	d50edb7e	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/06 12:46	upstream	094b58e1040a	aef0b792	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/05 07:47	upstream	e64b9562ba28	2c6f473e	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/03 11:34	upstream	0573fed92b67	2c6f473e	.config	log	report	syz
ci-upstream-kasan-gce-386	2018/03/01 22:53	upstream	8da5db7ddae1	2c6f473e	.config	log	report	syz
ci-upstream-kasan-gce	2018/03/13 13:18	upstream	fc6eabbbf8ef	08dacaa0	.config	log	report
ci-upstream-kasan-gce	2018/03/13 01:19	upstream	fc6eabbbf8ef	f505ca4b	.config	log	report
ci-upstream-kasan-gce	2018/03/11 08:33	upstream	3266b5bd97ea	36d1c454	.config	log	report
ci-upstream-kasan-gce	2018/03/11 00:58	upstream	3266b5bd97ea	36d1c454	.config	log	report
ci-upstream-kasan-gce	2018/03/09 23:36	upstream	719ea86151f3	36d1c454	.config	log	report
ci-upstream-kasan-gce	2018/03/08 16:38	upstream	1b88accf6a65	acd0caa5	.config	log	report
ci-upstream-kasan-gce	2018/03/08 13:12	upstream	1b88accf6a65	acd0caa5	.config	log	report
ci-upstream-kasan-gce	2018/03/08 06:28	upstream	851710a80961	d50edb7e	.config	log	report
ci-upstream-kasan-gce	2018/03/06 19:36	upstream	ce380619fab9	c8a18476	.config	log	report
ci-upstream-kasan-gce	2018/03/05 16:18	upstream	661e50bc8532	bbd5104f	.config	log	report
ci-upstream-kasan-gce	2018/03/05 14:49	upstream	661e50bc8532	bbd5104f	.config	log	report
ci-upstream-kasan-gce	2018/03/05 13:08	upstream	661e50bc8532	bbd5104f	.config	log	report
ci-upstream-kasan-gce	2018/03/02 16:56	upstream	5d60e057d127	2c6f473e	.config	log	report
ci-upstream-kasan-gce	2018/03/02 12:32	upstream	5d60e057d127	2c6f473e	.config	log	report
ci-upstream-kasan-gce	2018/03/02 00:30	upstream	8da5db7ddae1	2c6f473e	.config	log	report
ci-upstream-kasan-gce	2018/02/27 18:33	upstream	6f70eb2b00eb	05b5a32c	.config	log	report
ci-upstream-kasan-gce	2018/02/25 23:11	upstream	3664ce2d9309	9fe8aa42	.config	log	report
ci-upstream-kasan-gce	2018/02/25 21:56	upstream	3664ce2d9309	9fe8aa42	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:36	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:32	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:29	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:29	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:25	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:24	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:16	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:13	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:12	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:05	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:05	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 14:03	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 13:52	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce	2018/02/25 13:48	upstream	3664ce2d9309	5c1e0207	.config	log	report
ci-upstream-kasan-gce-386	2018/03/13 14:42	upstream	fc6eabbbf8ef	08dacaa0	.config	log	report
ci-upstream-kasan-gce-386	2018/03/11 05:50	upstream	3266b5bd97ea	36d1c454	.config	log	report
ci-upstream-kasan-gce-386	2018/03/10 23:10	upstream	3266b5bd97ea	36d1c454	.config	log	report
ci-upstream-kasan-gce-386	2018/03/10 20:21	upstream	cdb06e9d8f52	36d1c454	.config	log	report
ci-upstream-kasan-gce-386	2018/03/10 18:47	upstream	cdb06e9d8f52	36d1c454	.config	log	report
ci-upstream-kasan-gce-386	2018/03/10 08:54	upstream	cdb06e9d8f52	36d1c454	.config	log	report
ci-upstream-kasan-gce-386	2018/03/07 09:15	upstream	86f84779d8e9	c8a18476	.config	log	report
ci-upstream-kasan-gce-386	2018/03/06 03:03	upstream	094b58e1040a	aef0b792	.config	log	report
ci-upstream-kasan-gce-386	2018/03/02 06:50	upstream	8da5db7ddae1	2c6f473e	.config	log	report
ci-upstream-kasan-gce-386	2018/02/28 05:17	upstream	f3afe530d644	05b5a32c	.config	log	report
ci-upstream-kasan-gce-386	2018/02/28 02:13	upstream	f3afe530d644	05b5a32c	.config	log	report
ci-upstream-kasan-gce-386	2018/02/23 09:33	upstream	0f9da844d877	8d8e2494	.config	log	report