| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-49 | possible deadlock in ashmem_llseek | 5 | 2242d | 2287d | 3/3 | fixed on 2019/04/09 03:09 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-49 | possible deadlock in ashmem_llseek | 5 | 2242d | 2287d | 3/3 | fixed on 2019/04/09 03:09 |
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.111-gc2f631b #27 Not tainted
-------------------------------------------------------
syz-executor5/6114 is trying to acquire lock:
(&sb->s_type->i_mutex_key#10){+.+.+.}, at: [ 42.960134] binder: 6084:6117 ioctl c0306201 20007000 returned -14
[<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
but task is already holding lock:
(ashmem_mutex){+.+.+.}, at: [<ffffffff82c63fc6>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
[<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
[<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
[<ffffffff82c63413>] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366
[<ffffffff814aff5f>] mmap_region+0x94f/0x1250 mm/mmap.c:1664
[<ffffffff814b0d5d>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
[<ffffffff8146f10e>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
[<ffffffff8146f10e>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:272
[<ffffffff814aef2f>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
[<ffffffff814aef2f>] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449
[<ffffffff8101beb6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff8101beb6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92
[<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8149472a>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
[<ffffffff8155a222>] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline]
[<ffffffff8155a222>] filldir+0x162/0x2d0 fs/readdir.c:180
[<ffffffff815979ae>] dir_emit_dot include/linux/fs.h:3070 [inline]
[<ffffffff815979ae>] dir_emit_dots include/linux/fs.h:3081 [inline]
[<ffffffff815979ae>] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150
[<ffffffff81559e68>] iterate_dir+0x1c8/0x420 fs/readdir.c:42
[<ffffffff8155ab5a>] SYSC_getdents fs/readdir.c:215 [inline]
[<ffffffff8155ab5a>] SyS_getdents+0x14a/0x270 fs/readdir.c:196
[<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92
[<ffffffff81239b4f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff81239b4f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff81239b4f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff81239b4f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
[<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
[<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
[<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
[<ffffffff8151bbb2>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
[<ffffffff82c64057>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
[<ffffffff8151d9bb>] vfs_llseek fs/read_write.c:260 [inline]
[<ffffffff8151d9bb>] SYSC_lseek fs/read_write.c:285 [inline]
[<ffffffff8151d9bb>] SyS_lseek+0xeb/0x170 fs/read_write.c:276
[<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(ashmem_mutex);
lock(&mm->mmap_sem);
lock(ashmem_mutex);
lock(&sb->s_type->i_mutex_key#10);
*** DEADLOCK ***
1 lock held by syz-executor5/6114:
#0: (ashmem_mutex){+.+.+.}, at: [<ffffffff82c63fc6>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330
stack backtrace:
CPU: 1 PID: 6114 Comm: syz-executor5 Not tainted 4.4.111-gc2f631b #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
0000000000000000 2070ab71cf5bca2c ffff8801cde27ad8 ffffffff81d0513d
ffffffff8519d370 ffffffff851a6d00 ffffffff851bbe80 ffff8801c6172058
ffff8801c61717c0 ffff8801cde27b20 ffffffff81232bc1 ffff8801c6172058
Call Trace:
[<ffffffff81d0513d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d0513d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81232bc1>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226
[<ffffffff81239b4f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff81239b4f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff81239b4f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff81239b4f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
[<ffffffff8123c7ee>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376c46b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
[<ffffffff8376c46b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
[<ffffffff814623f1>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
binder: release 6085:6093 transaction 13 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 13, target dead
[<ffffffff8151bbb2>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
[<ffffffff82c64057>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
[<ffffffff8151d9bb>] vfs_llseek fs/read_write.c:260 [inline]
[<ffffffff8151d9bb>] SYSC_lseek fs/read_write.c:285 [inline]
[<ffffffff8151d9bb>] SyS_lseek+0xeb/0x170 fs/read_write.c:276
[<ffffffff83775919>] entry_SYSCALL_64_fastpath+0x16/0x92
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/01/17 05:42 | https://android.googlesource.com/kernel/common android-4.4 | c2f631bf4969 | a46e5318 | .config | console log | report | ci-android-44-kasan-gce | |||||
| 2018/03/20 21:44 | https://android.googlesource.com/kernel/common android-4.4 | d63fdf61a4dc | 72c33b66 | .config | console log | report | ci-android-44-kasan-gce-386 | |||||
| 2018/01/30 14:16 | https://android.googlesource.com/kernel/common android-4.4 | 962d1f3fe2f4 | a899be78 | .config | console log | report | ci-android-44-kasan-gce-386 | |||||
| 2018/01/20 11:29 | https://android.googlesource.com/kernel/common android-4.4 | 3fc4284df70b | fbbdcd92 | .config | console log | report | ci-android-44-kasan-gce-386 |