syzbot


possible deadlock in shmem_fallocate

Status: closed as invalid on 2017/11/05 09:38
Subsystems: mm
[Documentation on labels]
First crash: 2647d, last: 2603d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in shmem_fallocate (2) 2 1661d 1729d 0/1 auto-closed as invalid on 2020/09/14 02:25
linux-4.19 possible deadlock in shmem_fallocate 1 1951d 1951d 0/1 auto-closed as invalid on 2019/11/29 05:22
android-49 possible deadlock in shmem_fallocate C 2441 1826d 2063d 0/3 public: reported C repro on 2019/04/11 08:44
android-414 possible deadlock in shmem_fallocate C 7876 1826d 2063d 0/1 public: reported C repro on 2019/04/11 00:00
upstream possible deadlock in shmem_fallocate (3) mm 1 1915d 1911d 0/28 auto-closed as invalid on 2019/11/05 02:34
upstream possible deadlock in shmem_fallocate (4) mm C done 81 1589d 1803d 15/28 fixed on 2020/09/16 22:51
upstream possible deadlock in shmem_fallocate (2) mm C 1325 2098d 2307d 11/28 fixed on 2019/03/28 12:00

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.14.0-rc1+ #97 Not tainted
------------------------------------------------------
loop0/20795 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8190d1e1>] inode_lock include/linux/fs.h:712 [inline]
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8190d1e1>] shmem_fallocate+0x161/0x1180 mm/shmem.c:2841

but now in release context of a crosslock acquired at the following:
 ((complete)&ret.event){+.+.}, at: [<ffffffff822a9fae>] submit_bio_wait+0x15e/0x200 block/bio.c:953

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 ((complete)&ret.event){+.+.}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       complete_acquire include/linux/completion.h:39 [inline]
       __wait_for_common kernel/sched/completion.c:108 [inline]
       wait_for_common_io kernel/sched/completion.c:128 [inline]
       wait_for_completion_io+0xc8/0x770 kernel/sched/completion.c:176
       submit_bio_wait+0x15e/0x200 block/bio.c:953
       blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370
       sb_issue_zeroout include/linux/blkdev.h:1367 [inline]
       ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1447
       ext4_run_li_request fs/ext4/super.c:2866 [inline]
       ext4_lazyinit_thread+0x81a/0xd40 fs/ext4/super.c:2960
       kthread+0x39c/0x470 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

-> #3 (&meta_group_info[i]->alloc_sem){++++}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       down_read+0x96/0x150 kernel/locking/rwsem.c:23
       __ext4_new_inode+0x26dc/0x4f00 fs/ext4/ialloc.c:1056
       ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118
       vfs_symlink+0x323/0x560 fs/namei.c:4115
       SYSC_symlinkat fs/namei.c:4142 [inline]
       SyS_symlinkat fs/namei.c:4122 [inline]
       SYSC_symlink fs/namei.c:4155 [inline]
       SyS_symlink+0x134/0x200 fs/namei.c:4153
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #2 (jbd2_handle){++++}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390
       jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444
       __ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80
       __ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline]
       ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5859
       __mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096
       generic_update_time+0x1b2/0x270 fs/inode.c:1649
       update_time fs/inode.c:1665 [inline]
       touch_atime+0x26d/0x2f0 fs/inode.c:1737
       file_accessed include/linux/fs.h:2061 [inline]
       ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:352
       call_mmap include/linux/fs.h:1775 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1690
       do_mmap+0x6a1/0xd50 mm/mmap.c:1468
       do_mmap_pgoff include/linux/mm.h:2150 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1518 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1476
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #1 (&mm->mmap_sem){++++}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       __might_fault+0x13a/0x1d0 mm/memory.c:4502
       _copy_to_user+0x2c/0xc0 lib/usercopy.c:24
       copy_to_user include/linux/uaccess.h:154 [inline]
       filldir+0x1a7/0x320 fs/readdir.c:196
       dir_emit_dot include/linux/fs.h:3339 [inline]
       dir_emit_dots include/linux/fs.h:3350 [inline]
       dcache_readdir+0x12d/0x5e0 fs/libfs.c:192
       iterate_dir+0x4b2/0x5d0 fs/readdir.c:51
       SYSC_getdents fs/readdir.c:231 [inline]
       SyS_getdents+0x225/0x450 fs/readdir.c:212
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #0 (&sb->s_type->i_mutex_key#9){++++}:
       down_write+0x87/0x120 kernel/locking/rwsem.c:53
       inode_lock include/linux/fs.h:712 [inline]
       shmem_fallocate+0x161/0x1180 mm/shmem.c:2841
       lo_discard drivers/block/loop.c:434 [inline]
       do_req_filebacked drivers/block/loop.c:570 [inline]
       loop_handle_cmd drivers/block/loop.c:1705 [inline]
       loop_queue_work+0x46f/0x3900 drivers/block/loop.c:1719
       kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
       loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem --> (complete)&ret.event

 Possible unsafe locking scenario by crosslock:

       CPU0                    CPU1
       ----                    ----
  lock(&meta_group_info[i]->alloc_sem);
  lock((complete)&ret.event);
                               lock(&sb->s_type->i_mutex_key#9);
                               unlock((complete)&ret.event);

 *** DEADLOCK ***

1 lock held by loop0/20795:
 #0:  (&x->wait#14){..-.}, at: [<ffffffff81527e78>] complete+0x18/0x80 kernel/sched/completion.c:34

stack backtrace:
CPU: 0 PID: 20795 Comm: loop0 Not tainted 4.14.0-rc1+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259
 check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894
 commit_xhlock kernel/locking/lockdep.c:5015 [inline]
 commit_xhlocks kernel/locking/lockdep.c:5059 [inline]
 lock_commit_crosslock+0xe73/0x1d10 kernel/locking/lockdep.c:5098
 complete_release_commit include/linux/completion.h:49 [inline]
 complete+0x24/0x80 kernel/sched/completion.c:39
 submit_bio_wait_endio+0x9c/0xd0 block/bio.c:930
 bio_endio+0x2f8/0x8d0 block/bio.c:1843
 req_bio_endio block/blk-core.c:204 [inline]
 blk_update_request+0x2a6/0xe20 block/blk-core.c:2743
 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:463
 __blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
 loop_handle_cmd drivers/block/loop.c:1710 [inline]
 loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1719
 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
device gre0 entered promiscuous mode
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
audit: type=1326 audit(1506171693.926:134): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=21313 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xffff0000
audit: type=1326 audit(1506171694.089:135): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=21313 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xffff0000
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 21405 Comm: syz-executor3 Not tainted 4.14.0-rc1+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_fail_alloc_page mm/page_alloc.c:2897 [inline]
 prepare_alloc_pages mm/page_alloc.c:4152 [inline]
 __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4191
 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2035
 alloc_pages include/linux/gfp.h:505 [inline]
 skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2196
 tun_build_skb.isra.42+0x2a2/0x1690 drivers/net/tun.c:1289
 tun_get_user+0x1dad/0x2150 drivers/net/tun.c:1455
 tun_chr_write_iter+0xde/0x190 drivers/net/tun.c:1579
 call_write_iter include/linux/fs.h:1770 [inline]
 new_sync_write fs/read_write.c:468 [inline]
 __vfs_write+0x68a/0x970 fs/read_write.c:481
 vfs_write+0x18f/0x510 fs/read_write.c:543
 SYSC_write fs/read_write.c:588 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:580
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x40c341
RSP: 002b:00007f7084da4c10 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 000000000040c341
RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000015
RBP: 00007f7084da4a10 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000f4240 R11: 0000000000000293 R12: 00000000004b6c37
R13: 00007f7084da4b48 R14: 00000000004b6c47 R15: 0000000000000000
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
sock: sock_set_timeout: `syz-executor0' (pid 21762) tries to set negative timeout
sock: sock_set_timeout: `syz-executor0' (pid 21762) tries to set negative timeout
QAT: Invalid ioctl
QAT: Invalid ioctl
audit: type=1326 audit(1506171696.448:136): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=22166 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0xfff00000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 22629 Comm: syz-executor2 Not tainted 4.14.0-rc1+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:31
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3625
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 snd_seq_port_connect+0xd8/0x6e0 sound/core/seq/seq_ports.c:568
 snd_seq_ioctl_subscribe_port+0x212/0x2c0 sound/core/seq/seq_clientmgr.c:1443
 snd_seq_kernel_client_ctl+0x122/0x160 sound/core/seq/seq_clientmgr.c:2339
 snd_seq_oss_midi_open+0x493/0x7e0 sound/core/seq/oss/seq_oss_midi.c:375
 snd_seq_oss_synth_reset+0x408/0x980 sound/core/seq/oss/seq_oss_synth.c:419
 snd_seq_oss_reset+0x6c/0x260 sound/core/seq/oss/seq_oss_init.c:448
 snd_seq_oss_release+0x71/0x120 sound/core/seq/oss/seq_oss_init.c:425
 odev_release+0x52/0x70 sound/core/seq/oss/seq_oss.c:153
 __fput+0x333/0x7f0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:112
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0xa52/0x1b40 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x7e8/0x17e0 kernel/signal.c:2334
 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xbc/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007fd5c6005c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 000000000000001c RSI: 0000000020fb6000 RDI: 0000000000000006
RBP: 00000000000044b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004ba3eb
R13: 0000000000000016 R14: 0000000000000006 R15: 0000000020fb6000
QAT: Invalid ioctl
QAT: Invalid ioctl
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
QAT: Invalid ioctl
QAT: Invalid ioctl
CPU: 1 PID: 23392 Comm: syz-executor3 Not tainted 4.14.0-rc1+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:31
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc_node mm/slab.c:3304 [inline]
 kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3649
 alloc_task_struct_node kernel/fork.c:156 [inline]
 dup_task_struct kernel/fork.c:517 [inline]
 copy_process.part.36+0x1a6a/0x4af0 kernel/fork.c:1573
QAT: Invalid ioctl
QAT: Invalid ioctl
 copy_process kernel/fork.c:1548 [inline]
 _do_fork+0x1ef/0xfe0 kernel/fork.c:2027
 SYSC_clone kernel/fork.c:2137 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2131
 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x4520a9
RSP: 002b:00007f7084da4c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 00000000201b8ffc RSI: 00000000207f2000 RDI: 0000000000000000
RBP: 0000000000000450 R08: 00000000204d5000 R09: 0000000000000000
R10: 0000000020d74000 R11: 0000000000000216 R12: 00000000004b7454
R13: 0000000000000041 R14: 0000000000000000 R15: 00000000207f2000
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl

Crashes (8087):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/23 13:01 upstream c65da8e22b1d c26ea367 .config console log report ci-upstream-kasan-gce
2017/09/14 04:32 upstream e7989f973ae1 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/09 18:03 upstream 0e271fd59fe9 d18bfda0 .config console log report ci-upstream-kasan-gce
2017/09/06 18:43 upstream e7d0c41ecc2e 0ed1da4a .config console log report ci-upstream-kasan-gce
2017/09/06 12:19 upstream e7d0c41ecc2e 0ed1da4a .config console log report ci-upstream-kasan-gce
2017/10/14 08:03 upstream e837d9134be8 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/10 23:05 upstream a957fd420ca8 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/03 03:25 upstream 9e66317d3c92 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/02 14:24 upstream 9e66317d3c92 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/09/29 16:09 upstream 770b782f555d c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/09/28 04:02 upstream 225d3b674829 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/06 19:45 linux-next 1418b852174a c26ea367 .config console log report ci-upstream-next-kasan-gce
2017/10/03 12:31 mmots 9af872441677 c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/10/02 04:11 linux-next 1418b852174a c26ea367 .config console log report ci-upstream-next-kasan-gce
2017/09/21 02:09 mmots 720bbe532b7c c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/19 18:45 linux-next 840cc455c5f5 92f543f0 .config console log report ci-upstream-next-kasan-gce
2017/09/18 04:49 mmots 720bbe532b7c c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/15 00:27 linux-next 31fc38c47623 96b8e399 .config console log report skylake-linux-next-kasan-qemu
2017/09/10 05:51 linux-next 58bcd35f859b d18bfda0 .config console log report skylake-linux-next-kasan-qemu
2017/09/08 18:46 linux-next 58bcd35f859b d18bfda0 .config console log report skylake-linux-next-kasan-qemu
* Struck through repros no longer work on HEAD.