syzbot


possible deadlock in ashmem_llseek

Status: fixed on 2019/04/09 03:26
Fix commit: staging: android: ashmem: Fix lockdep issue during llseek
First crash: 2452d, last: 2389d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 possible deadlock in ashmem_llseek 5 2404d 2448d 3/3 fixed on 2019/04/09 03:09

Sample crash report:
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.111-gc2f631b #27 Not tainted
-------------------------------------------------------
syz-executor5/6114 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [   42.960134] binder: 6084:6117 ioctl c0306201 20007000 returned -14
[<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816

but task is already holding lock:
 (ashmem_mutex){+.+.+.}, at: [<ffffffff82c63fc6>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff82c63413>] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366
       [<ffffffff814aff5f>] mmap_region+0x94f/0x1250 mm/mmap.c:1664
       [<ffffffff814b0d5d>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
       [<ffffffff8146f10e>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
       [<ffffffff8146f10e>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:272
       [<ffffffff814aef2f>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
       [<ffffffff814aef2f>] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449
       [<ffffffff8101beb6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
       [<ffffffff8101beb6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
       [<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92

       [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8149472a>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
       [<ffffffff8155a222>] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline]
       [<ffffffff8155a222>] filldir+0x162/0x2d0 fs/readdir.c:180
       [<ffffffff815979ae>] dir_emit_dot include/linux/fs.h:3070 [inline]
       [<ffffffff815979ae>] dir_emit_dots include/linux/fs.h:3081 [inline]
       [<ffffffff815979ae>] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150
       [<ffffffff81559e68>] iterate_dir+0x1c8/0x420 fs/readdir.c:42
       [<ffffffff8155ab5a>] SYSC_getdents fs/readdir.c:215 [inline]
       [<ffffffff8155ab5a>] SyS_getdents+0x14a/0x270 fs/readdir.c:196
       [<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92

       [<ffffffff81239b4f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff81239b4f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff81239b4f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff81239b4f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
       [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
       [<ffffffff8151bbb2>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
       [<ffffffff82c64057>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
       [<ffffffff8151d9bb>] vfs_llseek fs/read_write.c:260 [inline]
       [<ffffffff8151d9bb>] SYSC_lseek fs/read_write.c:285 [inline]
       [<ffffffff8151d9bb>] SyS_lseek+0xeb/0x170 fs/read_write.c:276
       [<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor5/6114:
 #0:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82c63fc6>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

stack backtrace:
CPU: 1 PID: 6114 Comm: syz-executor5 Not tainted 4.4.111-gc2f631b #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 2070ab71cf5bca2c ffff8801cde27ad8 ffffffff81d0513d
 ffffffff8519d370 ffffffff851a6d00 ffffffff851bbe80 ffff8801c6172058
 ffff8801c61717c0 ffff8801cde27b20 ffffffff81232bc1 ffff8801c6172058
Call Trace:
 [<ffffffff81d0513d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0513d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81232bc1>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226
 [<ffffffff81239b4f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff81239b4f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff81239b4f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff81239b4f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
 [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
 [<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
 [<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
binder: release 6085:6093 transaction 13 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 13, target dead
 [<ffffffff8151bbb2>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
 [<ffffffff82c64057>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
 [<ffffffff8151d9bb>] vfs_llseek fs/read_write.c:260 [inline]
 [<ffffffff8151d9bb>] SYSC_lseek fs/read_write.c:285 [inline]
 [<ffffffff8151d9bb>] SyS_lseek+0xeb/0x170 fs/read_write.c:276
 [<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/01/17 05:42 https://android.googlesource.com/kernel/common android-4.4 c2f631bf4969 a46e5318 .config console log report ci-android-44-kasan-gce
2018/03/20 21:44 https://android.googlesource.com/kernel/common android-4.4 d63fdf61a4dc 72c33b66 .config console log report ci-android-44-kasan-gce-386
2018/01/30 14:16 https://android.googlesource.com/kernel/common android-4.4 962d1f3fe2f4 a899be78 .config console log report ci-android-44-kasan-gce-386
2018/01/20 11:29 https://android.googlesource.com/kernel/common android-4.4 3fc4284df70b fbbdcd92 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.