possible deadlock in path

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	possible deadlock in path_openat fs	C	done	unreliable	349	1493d	2048d	0/26	auto-obsoleted due to no activity on 2022/09/16 21:43
linux-6.1	possible deadlock in path_openat origin:upstream	C			149	2d06h	418d	0/3	upstream: reported C repro on 2023/03/13 16:18
upstream	possible deadlock in path_openat (2) reiserfs	C	error	done	305	96d	571d	0/26	upstream: reported C repro on 2022/10/11 06:35
linux-4.14	possible deadlock in path_openat reiserfs	C		error	327	430d	1838d	0/1	upstream: reported C repro on 2019/04/24 01:40
linux-5.15	possible deadlock in path_openat origin:upstream missing-backport	C		error	139	22h40m	414d	0/3	upstream: reported C repro on 2023/03/17 13:15
linux-4.19	possible deadlock in path_openat	C		error	859	425d	1785d	0/1	upstream: reported C repro on 2019/06/15 07:08

IPv6: ADDRCONF(NETDEV_CHANGE): vti0: link becomes ready ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #1 Not tainted ------------------------------------------------------- syz-executor.0/23378 is trying to acquire lock: (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] inode_lock_shared include/linux/fs.h:776 [inline] (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] do_last fs/namei.c:3314 [inline] (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] path_openat+0x1309/0x2790 fs/namei.c:3534 but task is already holding lock: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff81520d73>] prepare_bprm_creds+0x53/0x110 fs/exec.c:1369 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&sig->cred_guard_mutex){+.+.+.}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641 mm_access+0x51/0x140 kernel/fork.c:1028 map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933 d_revalidate fs/namei.c:789 [inline] lookup_slow+0x361/0x470 fs/namei.c:1656 walk_component+0x822/0xcf0 fs/namei.c:1784 lookup_last fs/namei.c:2266 [inline] path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283 filename_lookup.part.18+0x177/0x370 fs/namei.c:2317 filename_lookup fs/namei.c:2310 [inline] user_path_at_empty+0x53/0x70 fs/namei.c:2578 user_path_at include/linux/namei.h:55 [inline] SYSC_quotactl fs/quota/quota.c:862 [inline] SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #0 (&sb->s_type->i_mutex_key){++++++}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 down_read+0x44/0xb0 kernel/locking/rwsem.c:22 inode_lock_shared include/linux/fs.h:776 [inline] do_last fs/namei.c:3314 [inline] path_openat+0x1309/0x2790 fs/namei.c:3534 do_filp_open+0x197/0x270 fs/namei.c:3568 do_open_execat+0x10f/0x640 fs/exec.c:844 open_exec+0x43/0x60 fs/exec.c:876 load_script+0x5a4/0x740 fs/binfmt_script.c:100 search_binary_handler+0x14f/0x6f0 fs/exec.c:1621 exec_binprm fs/exec.c:1663 [inline] do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785 do_execveat fs/exec.c:1840 [inline] SYSC_execveat fs/exec.c:1921 [inline] SyS_execveat+0x55/0x70 fs/exec.c:1913 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sig->cred_guard_mutex); lock(&sb->s_type->i_mutex_key); lock(&sig->cred_guard_mutex); lock(&sb->s_type->i_mutex_key); *** DEADLOCK *** 1 lock held by syz-executor.0/23378: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff81520d73>] prepare_bprm_creds+0x53/0x110 fs/exec.c:1369 stack backtrace: CPU: 0 PID: 23378 Comm: syz-executor.0 Not tainted 4.9.141+ #1 ffff8801c51b74d8 ffffffff81b42e79 ffffffff83c73360 ffffffff83ca2c70 ffffffff83c73360 ffff8801a5c1a090 ffff8801a5c197c0 ffff8801c51b7520 ffffffff813fee40 0000000000000001 00000000a5c1a070 0000000000000001 Call Trace: [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline] [<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline] [<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [<ffffffff82811644>] down_read+0x44/0xb0 kernel/locking/rwsem.c:22 [<ffffffff8153d309>] inode_lock_shared include/linux/fs.h:776 [inline] [<ffffffff8153d309>] do_last fs/namei.c:3314 [inline] [<ffffffff8153d309>] path_openat+0x1309/0x2790 fs/namei.c:3534 [<ffffffff81541617>] do_filp_open+0x197/0x270 fs/namei.c:3568 [<ffffffff8151b9cf>] do_open_execat+0x10f/0x640 fs/exec.c:844 [<ffffffff8151bf43>] open_exec+0x43/0x60 fs/exec.c:876 [<ffffffff8161c0d4>] load_script+0x5a4/0x740 fs/binfmt_script.c:100 [<ffffffff8151fd9f>] search_binary_handler+0x14f/0x6f0 fs/exec.c:1621 [<ffffffff81521f69>] exec_binprm fs/exec.c:1663 [inline] [<ffffffff81521f69>] do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785 [<ffffffff815236c5>] do_execveat fs/exec.c:1840 [inline] [<ffffffff815236c5>] SYSC_execveat fs/exec.c:1921 [inline] [<ffffffff815236c5>] SyS_execveat+0x55/0x70 fs/exec.c:1913 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb IPv6: ADDRCONF(NETDEV_CHANGE): vti0: link becomes ready ip6_tunnel: ! xmit: Local address not yet configured! ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready ip6_tunnel: ! xmit: Local address not yet configured! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23454 comm=syz-executor.4 ip6_tunnel: ! xmit: Local address not yet configured! ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23486 comm=syz-executor.0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23489 comm=syz-executor.0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23492 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23505 comm=syz-executor.4 ip6_tunnel: ! xmit: Local address not yet configured! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23508 comm=syz-executor.1 ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! audit: type=1400 audit(1574671374.343:240): avc: denied { bind } for pid=23580 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23582 comm=syz-executor.4 Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev selinux_nlmsg_perm: 4106 callbacks suppressed SELinux: unrecognized netlink message: protocol=9 nlmsg_type=16 sclass=netlink_audit_socket pig=23839 comm=syz-executor.5 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. SELinux: unrecognized netlink message: protocol=9 nlmsg_type=16 sclass=netlink_audit_socket pig=23855 comm=syz-executor.5 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 input: syz1 as /devices/virtual/input/input83 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3 input: syz1 as /devices/virtual/input/input84 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. input: syz1 as /devices/virtual/input/input85 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev

Crashes (5):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2019/11/25 08:43	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	598ca6c8	.config	console log	report	ci-android-49-kasan-gce
2019/11/23 17:00	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	598ca6c8	.config	console log	report	ci-android-49-kasan-gce
2019/11/20 00:17	android-4.9	258971b8e1ac	5bc70212	.config	console log	report	ci-android-49-kasan-gce-root
2019/11/17 00:00	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	d5696d51	.config	console log	report	ci-android-49-kasan-gce
2019/11/09 23:01	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	dc438b91	.config	console log	report	ci-android-49-kasan-gce

Crashes (5):

Assets (help?)