possible deadlock in shmem

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
linux-4.19	possible deadlock in shmem_fallocate (2)			2	1440d	1508d	0/1	auto-closed as invalid on 2020/09/14 02:25
linux-4.19	possible deadlock in shmem_fallocate			1	1730d	1730d	0/1	auto-closed as invalid on 2019/11/29 05:22
android-49	possible deadlock in shmem_fallocate	C		2441	1605d	1842d	0/3	public: reported C repro on 2019/04/11 08:44
android-414	possible deadlock in shmem_fallocate	C		7876	1605d	1842d	0/1	public: reported C repro on 2019/04/11 00:00
upstream	possible deadlock in shmem_fallocate (3) mm			1	1694d	1690d	0/26	auto-closed as invalid on 2019/11/05 02:34
upstream	possible deadlock in shmem_fallocate (4) mm	C	done	81	1368d	1583d	15/26	fixed on 2020/09/16 22:51
upstream	possible deadlock in shmem_fallocate (2) mm	C		1325	1878d	2086d	11/26	fixed on 2019/03/28 12:00

====================================================== WARNING: possible circular locking dependency detected 4.14.0-rc1+ #97 Not tainted ------------------------------------------------------ loop0/20795 is trying to acquire lock: (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8190d1e1>] inode_lock include/linux/fs.h:712 [inline] (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8190d1e1>] shmem_fallocate+0x161/0x1180 mm/shmem.c:2841 but now in release context of a crosslock acquired at the following: ((complete)&ret.event){+.+.}, at: [<ffffffff822a9fae>] submit_bio_wait+0x15e/0x200 block/bio.c:953 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 ((complete)&ret.event){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 complete_acquire include/linux/completion.h:39 [inline] __wait_for_common kernel/sched/completion.c:108 [inline] wait_for_common_io kernel/sched/completion.c:128 [inline] wait_for_completion_io+0xc8/0x770 kernel/sched/completion.c:176 submit_bio_wait+0x15e/0x200 block/bio.c:953 blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370 sb_issue_zeroout include/linux/blkdev.h:1367 [inline] ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1447 ext4_run_li_request fs/ext4/super.c:2866 [inline] ext4_lazyinit_thread+0x81a/0xd40 fs/ext4/super.c:2960 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 -> #3 (&meta_group_info[i]->alloc_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 down_read+0x96/0x150 kernel/locking/rwsem.c:23 __ext4_new_inode+0x26dc/0x4f00 fs/ext4/ialloc.c:1056 ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118 vfs_symlink+0x323/0x560 fs/namei.c:4115 SYSC_symlinkat fs/namei.c:4142 [inline] SyS_symlinkat fs/namei.c:4122 [inline] SYSC_symlink fs/namei.c:4155 [inline] SyS_symlink+0x134/0x200 fs/namei.c:4153 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #2 (jbd2_handle){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390 jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444 __ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80 __ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline] ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5859 __mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096 generic_update_time+0x1b2/0x270 fs/inode.c:1649 update_time fs/inode.c:1665 [inline] touch_atime+0x26d/0x2f0 fs/inode.c:1737 file_accessed include/linux/fs.h:2061 [inline] ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:352 call_mmap include/linux/fs.h:1775 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1690 do_mmap+0x6a1/0xd50 mm/mmap.c:1468 do_mmap_pgoff include/linux/mm.h:2150 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1518 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1476 SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #1 (&mm->mmap_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __might_fault+0x13a/0x1d0 mm/memory.c:4502 _copy_to_user+0x2c/0xc0 lib/usercopy.c:24 copy_to_user include/linux/uaccess.h:154 [inline] filldir+0x1a7/0x320 fs/readdir.c:196 dir_emit_dot include/linux/fs.h:3339 [inline] dir_emit_dots include/linux/fs.h:3350 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:192 iterate_dir+0x4b2/0x5d0 fs/readdir.c:51 SYSC_getdents fs/readdir.c:231 [inline] SyS_getdents+0x225/0x450 fs/readdir.c:212 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #0 (&sb->s_type->i_mutex_key#9){++++}: down_write+0x87/0x120 kernel/locking/rwsem.c:53 inode_lock include/linux/fs.h:712 [inline] shmem_fallocate+0x161/0x1180 mm/shmem.c:2841 lo_discard drivers/block/loop.c:434 [inline] do_req_filebacked drivers/block/loop.c:570 [inline] loop_handle_cmd drivers/block/loop.c:1705 [inline] loop_queue_work+0x46f/0x3900 drivers/block/loop.c:1719 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem --> (complete)&ret.event Possible unsafe locking scenario by crosslock: CPU0 CPU1 ---- ---- lock(&meta_group_info[i]->alloc_sem); lock((complete)&ret.event); lock(&sb->s_type->i_mutex_key#9); unlock((complete)&ret.event); *** DEADLOCK *** 1 lock held by loop0/20795: #0: (&x->wait#14){..-.}, at: [<ffffffff81527e78>] complete+0x18/0x80 kernel/sched/completion.c:34 stack backtrace: CPU: 0 PID: 20795 Comm: loop0 Not tainted 4.14.0-rc1+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259 check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894 commit_xhlock kernel/locking/lockdep.c:5015 [inline] commit_xhlocks kernel/locking/lockdep.c:5059 [inline] lock_commit_crosslock+0xe73/0x1d10 kernel/locking/lockdep.c:5098 complete_release_commit include/linux/completion.h:49 [inline] complete+0x24/0x80 kernel/sched/completion.c:39 submit_bio_wait_endio+0x9c/0xd0 block/bio.c:930 bio_endio+0x2f8/0x8d0 block/bio.c:1843 req_bio_endio block/blk-core.c:204 [inline] blk_update_request+0x2a6/0xe20 block/blk-core.c:2743 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:463 __blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570 loop_handle_cmd drivers/block/loop.c:1710 [inline] loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1719 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1326 audit(1506171693.926:134): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=21313 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xffff0000 audit: type=1326 audit(1506171694.089:135): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=21313 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xffff0000 FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 21405 Comm: syz-executor3 Not tainted 4.14.0-rc1+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2897 [inline] prepare_alloc_pages mm/page_alloc.c:4152 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4191 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2035 alloc_pages include/linux/gfp.h:505 [inline] skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2196 tun_build_skb.isra.42+0x2a2/0x1690 drivers/net/tun.c:1289 tun_get_user+0x1dad/0x2150 drivers/net/tun.c:1455 tun_chr_write_iter+0xde/0x190 drivers/net/tun.c:1579 call_write_iter include/linux/fs.h:1770 [inline] new_sync_write fs/read_write.c:468 [inline] __vfs_write+0x68a/0x970 fs/read_write.c:481 vfs_write+0x18f/0x510 fs/read_write.c:543 SYSC_write fs/read_write.c:588 [inline] SyS_write+0xef/0x220 fs/read_write.c:580 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x40c341 RSP: 002b:00007f7084da4c10 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 000000000040c341 RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000015 RBP: 00007f7084da4a10 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000f4240 R11: 0000000000000293 R12: 00000000004b6c37 R13: 00007f7084da4b48 R14: 00000000004b6c47 R15: 0000000000000000 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. sock: sock_set_timeout: `syz-executor0' (pid 21762) tries to set negative timeout sock: sock_set_timeout: `syz-executor0' (pid 21762) tries to set negative timeout QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1326 audit(1506171696.448:136): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=22166 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xfff00000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 22629 Comm: syz-executor2 Not tainted 4.14.0-rc1+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:31 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3625 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:666 [inline] snd_seq_port_connect+0xd8/0x6e0 sound/core/seq/seq_ports.c:568 snd_seq_ioctl_subscribe_port+0x212/0x2c0 sound/core/seq/seq_clientmgr.c:1443 snd_seq_kernel_client_ctl+0x122/0x160 sound/core/seq/seq_clientmgr.c:2339 snd_seq_oss_midi_open+0x493/0x7e0 sound/core/seq/oss/seq_oss_midi.c:375 snd_seq_oss_synth_reset+0x408/0x980 sound/core/seq/oss/seq_oss_synth.c:419 snd_seq_oss_reset+0x6c/0x260 sound/core/seq/oss/seq_oss_init.c:448 snd_seq_oss_release+0x71/0x120 sound/core/seq/oss/seq_oss_init.c:425 odev_release+0x52/0x70 sound/core/seq/oss/seq_oss.c:153 __fput+0x333/0x7f0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:112 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0xa52/0x1b40 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x7e8/0x17e0 kernel/signal.c:2334 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266 entry_SYSCALL_64_fastpath+0xbc/0xbe RIP: 0033:0x4520a9 RSP: 002b:00007fd5c6005c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000000 RAX: fffffffffffffe00 RBX: 0000000000718000 RCX: 00000000004520a9 RDX: 000000000000001c RSI: 0000000020fb6000 RDI: 0000000000000006 RBP: 00000000000044b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004ba3eb R13: 0000000000000016 R14: 0000000000000006 R15: 0000000020fb6000 QAT: Invalid ioctl QAT: Invalid ioctl FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 QAT: Invalid ioctl QAT: Invalid ioctl CPU: 1 PID: 23392 Comm: syz-executor3 Not tainted 4.14.0-rc1+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:31 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3304 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3649 alloc_task_struct_node kernel/fork.c:156 [inline] dup_task_struct kernel/fork.c:517 [inline] copy_process.part.36+0x1a6a/0x4af0 kernel/fork.c:1573 QAT: Invalid ioctl QAT: Invalid ioctl copy_process kernel/fork.c:1548 [inline] _do_fork+0x1ef/0xfe0 kernel/fork.c:2027 SYSC_clone kernel/fork.c:2137 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2131 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x4520a9 RSP: 002b:00007f7084da4c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9 RDX: 00000000201b8ffc RSI: 00000000207f2000 RDI: 0000000000000000 RBP: 0000000000000450 R08: 00000000204d5000 R09: 0000000000000000 R10: 0000000020d74000 R11: 0000000000000216 R12: 00000000004b7454 R13: 0000000000000041 R14: 0000000000000000 R15: 00000000207f2000 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl

Crashes (8087):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2017/09/23 13:01	upstream	c65da8e22b1d	c26ea367	.config	console log	report	ci-upstream-kasan-gce
2017/09/14 04:32	upstream	e7989f973ae1	96b8e399	.config	console log	report	ci-upstream-kasan-gce
2017/09/09 18:03	upstream	0e271fd59fe9	d18bfda0	.config	console log	report	ci-upstream-kasan-gce
2017/09/06 18:43	upstream	e7d0c41ecc2e	0ed1da4a	.config	console log	report	ci-upstream-kasan-gce
2017/09/06 12:19	upstream	e7d0c41ecc2e	0ed1da4a	.config	console log	report	ci-upstream-kasan-gce
2017/10/14 08:03	upstream	e837d9134be8	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/10/10 23:05	upstream	a957fd420ca8	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/10/03 03:25	upstream	9e66317d3c92	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/10/02 14:24	upstream	9e66317d3c92	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/09/29 16:09	upstream	770b782f555d	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/09/28 04:02	upstream	225d3b674829	c26ea367	.config	console log	report	ci-upstream-kasan-gce-386
2017/10/06 19:45	linux-next	1418b852174a	c26ea367	.config	console log	report	ci-upstream-next-kasan-gce
2017/10/03 12:31	mmots	9af872441677	c26ea367	.config	console log	report	ci-upstream-mmots-kasan-gce
2017/10/02 04:11	linux-next	1418b852174a	c26ea367	.config	console log	report	ci-upstream-next-kasan-gce
2017/09/21 02:09	mmots	720bbe532b7c	c26ea367	.config	console log	report	ci-upstream-mmots-kasan-gce
2017/09/19 18:45	linux-next	840cc455c5f5	92f543f0	.config	console log	report	ci-upstream-next-kasan-gce
2017/09/18 04:49	mmots	720bbe532b7c	c26ea367	.config	console log	report	ci-upstream-mmots-kasan-gce
2017/09/15 00:27	linux-next	31fc38c47623	96b8e399	.config	console log	report	skylake-linux-next-kasan-qemu
2017/09/10 05:51	linux-next	58bcd35f859b	d18bfda0	.config	console log	report	skylake-linux-next-kasan-qemu
2017/09/08 18:46	linux-next	58bcd35f859b	d18bfda0	.config	console log	report	skylake-linux-next-kasan-qemu

Crashes (8087):

Assets (help?)

2017/09/23 13:01

upstream