syzbot


possible deadlock in path_openat

Status: auto-closed as invalid on 2020/03/24 08:43
Reported-by: syzbot+8ef33605f85b8c04d1ec@syzkaller.appspotmail.com
First crash: 1791d, last: 1775d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in path_openat fs C done unreliable 349 1646d 2201d 0/28 auto-obsoleted due to no activity on 2022/09/16 21:43
linux-6.1 possible deadlock in path_openat origin:upstream C 162 6d10h 571d 0/3 upstream: reported C repro on 2023/03/13 16:18
upstream possible deadlock in path_openat (2) reiserfs C error done 305 249d 725d 0/28 auto-obsoleted due to no activity on 2024/06/02 07:09
linux-4.14 possible deadlock in path_openat reiserfs C error 327 583d 1991d 0/1 upstream: reported C repro on 2019/04/24 01:40
linux-5.15 possible deadlock in path_openat origin:upstream missing-backport C error 154 87d 567d 0/3 upstream: reported C repro on 2023/03/17 13:15
linux-4.19 possible deadlock in path_openat C error 859 578d 1939d 0/1 upstream: reported C repro on 2019/06/15 07:08

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): vti0: link becomes ready
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #1 Not tainted
-------------------------------------------------------
syz-executor.0/23378 is trying to acquire lock:
 (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] inode_lock_shared include/linux/fs.h:776 [inline]
 (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] do_last fs/namei.c:3314 [inline]
 (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8153d309>] path_openat+0x1309/0x2790 fs/namei.c:3534
but task is already holding lock:
 (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff81520d73>] prepare_bprm_creds+0x53/0x110 fs/exec.c:1369
which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&sig->cred_guard_mutex){+.+.+.}:
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641
       mm_access+0x51/0x140 kernel/fork.c:1028
       map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933
       d_revalidate fs/namei.c:789 [inline]
       lookup_slow+0x361/0x470 fs/namei.c:1656
       walk_component+0x822/0xcf0 fs/namei.c:1784
       lookup_last fs/namei.c:2266 [inline]
       path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283
       filename_lookup.part.18+0x177/0x370 fs/namei.c:2317
       filename_lookup fs/namei.c:2310 [inline]
       user_path_at_empty+0x53/0x70 fs/namei.c:2578
       user_path_at include/linux/namei.h:55 [inline]
       SYSC_quotactl fs/quota/quota.c:862 [inline]
       SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834
       do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

-> #0 (&sb->s_type->i_mutex_key){++++++}:
       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       down_read+0x44/0xb0 kernel/locking/rwsem.c:22
       inode_lock_shared include/linux/fs.h:776 [inline]
       do_last fs/namei.c:3314 [inline]
       path_openat+0x1309/0x2790 fs/namei.c:3534
       do_filp_open+0x197/0x270 fs/namei.c:3568
       do_open_execat+0x10f/0x640 fs/exec.c:844
       open_exec+0x43/0x60 fs/exec.c:876
       load_script+0x5a4/0x740 fs/binfmt_script.c:100
       search_binary_handler+0x14f/0x6f0 fs/exec.c:1621
       exec_binprm fs/exec.c:1663 [inline]
       do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785
       do_execveat fs/exec.c:1840 [inline]
       SYSC_execveat fs/exec.c:1921 [inline]
       SyS_execveat+0x55/0x70 fs/exec.c:1913
       do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sig->cred_guard_mutex);
                               lock(&sb->s_type->i_mutex_key);
                               lock(&sig->cred_guard_mutex);
  lock(&sb->s_type->i_mutex_key);

 *** DEADLOCK ***

1 lock held by syz-executor.0/23378:
 #0:  (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff81520d73>] prepare_bprm_creds+0x53/0x110 fs/exec.c:1369

stack backtrace:
CPU: 0 PID: 23378 Comm: syz-executor.0 Not tainted 4.9.141+ #1
 ffff8801c51b74d8 ffffffff81b42e79 ffffffff83c73360 ffffffff83ca2c70
 ffffffff83c73360 ffff8801a5c1a090 ffff8801a5c197c0 ffff8801c51b7520
 ffffffff813fee40 0000000000000001 00000000a5c1a070 0000000000000001
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202
 [<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
 [<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff82811644>] down_read+0x44/0xb0 kernel/locking/rwsem.c:22
 [<ffffffff8153d309>] inode_lock_shared include/linux/fs.h:776 [inline]
 [<ffffffff8153d309>] do_last fs/namei.c:3314 [inline]
 [<ffffffff8153d309>] path_openat+0x1309/0x2790 fs/namei.c:3534
 [<ffffffff81541617>] do_filp_open+0x197/0x270 fs/namei.c:3568
 [<ffffffff8151b9cf>] do_open_execat+0x10f/0x640 fs/exec.c:844
 [<ffffffff8151bf43>] open_exec+0x43/0x60 fs/exec.c:876
 [<ffffffff8161c0d4>] load_script+0x5a4/0x740 fs/binfmt_script.c:100
 [<ffffffff8151fd9f>] search_binary_handler+0x14f/0x6f0 fs/exec.c:1621
 [<ffffffff81521f69>] exec_binprm fs/exec.c:1663 [inline]
 [<ffffffff81521f69>] do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785
 [<ffffffff815236c5>] do_execveat fs/exec.c:1840 [inline]
 [<ffffffff815236c5>] SYSC_execveat fs/exec.c:1921 [inline]
 [<ffffffff815236c5>] SyS_execveat+0x55/0x70 fs/exec.c:1913
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
IPv6: ADDRCONF(NETDEV_CHANGE): vti0: link becomes ready
ip6_tunnel: ! xmit: Local address not yet configured!
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
ip6_tunnel: ! xmit: Local address not yet configured!
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23454 comm=syz-executor.4
ip6_tunnel: ! xmit: Local address not yet configured!
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23486 comm=syz-executor.0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23489 comm=syz-executor.0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23492 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23505 comm=syz-executor.4
ip6_tunnel: ! xmit: Local address not yet configured!
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23508 comm=syz-executor.1
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
audit: type=1400 audit(1574671374.343:240): avc:  denied  { bind } for  pid=23580 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23582 comm=syz-executor.4
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23698 comm=syz-executor.5
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
selinux_nlmsg_perm: 4106 callbacks suppressed
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=16 sclass=netlink_audit_socket pig=23839 comm=syz-executor.5
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=16 sclass=netlink_audit_socket pig=23855 comm=syz-executor.5
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
input: syz1 as /devices/virtual/input/input83
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23901 comm=syz-executor.3
input: syz1 as /devices/virtual/input/input84
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'.
input: syz1 as /devices/virtual/input/input85
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'.
qtaguid: iface_stat: create(lo): no inet dev
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/25 08:43 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 598ca6c8 .config console log report ci-android-49-kasan-gce
2019/11/23 17:00 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 598ca6c8 .config console log report ci-android-49-kasan-gce
2019/11/20 00:17 android-4.9 258971b8e1ac 5bc70212 .config console log report ci-android-49-kasan-gce-root
2019/11/17 00:00 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 d5696d51 .config console log report ci-android-49-kasan-gce
2019/11/09 23:01 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 dc438b91 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.