syzbot


possible deadlock in vm_mmap_pgoff

Status: auto-closed as invalid on 2021/12/02 20:13
Reported-by: syzbot+5e358dd53781fed47144@syzkaller.appspotmail.com
First crash: 1170d, last: 1048d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 possible deadlock in vm_mmap_pgoff origin:upstream C 35 8d16h 456d 0/3 upstream: reported C repro on 2023/03/20 04:41
linux-4.19 possible deadlock in vm_mmap_pgoff (2) C error 2 567d 571d 0/1 upstream: reported C repro on 2022/11/25 13:47
linux-5.15 possible deadlock in vm_mmap_pgoff origin:upstream C error 38 3d17h 456d 0/3 upstream: reported C repro on 2023/03/19 23:00
upstream possible deadlock in vm_mmap_pgoff reiserfs C inconclusive inconclusive 225 141d 1148d 0/27 auto-obsoleted due to no activity on 2024/04/27 11:44
linux-4.14 possible deadlock in vm_mmap_pgoff reiserfs C 4 496d 563d 0/1 upstream: reported C repro on 2022/12/03 00:54

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.19.201-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/8263 is trying to acquire lock:
00000000d1035998 (event_mutex){+.+.}, at: perf_trace_destroy+0x23/0xf0 kernel/trace/trace_event_perf.c:236

but task is already holding lock:
0000000095196201 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x152/0x200 mm/util.c:355

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&mm->mmap_sem){++++}:
       dup_mmap kernel/fork.c:436 [inline]
       dup_mm kernel/fork.c:1284 [inline]
       copy_mm kernel/fork.c:1340 [inline]
       copy_process.part.0+0x2bcf/0x8260 kernel/fork.c:1912
       copy_process kernel/fork.c:1709 [inline]
       _do_fork+0x22f/0xf30 kernel/fork.c:2218
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #2 (&dup_mmap_sem){++++}:
       percpu_down_write+0x62/0x3f0 kernel/locking/percpu-rwsem.c:145
       register_for_each_vma+0x91/0xe40 kernel/events/uprobes.c:793
       __uprobe_register kernel/events/uprobes.c:929 [inline]
       uprobe_register+0x3dc/0x730 kernel/events/uprobes.c:944
       probe_event_enable+0x425/0xbb0 kernel/trace/trace_uprobe.c:915
       trace_uprobe_register+0x2d8/0x790 kernel/trace/trace_uprobe.c:1200
       perf_trace_event_reg kernel/trace/trace_event_perf.c:124 [inline]
       perf_trace_event_init+0x4c1/0x920 kernel/trace/trace_event_perf.c:199
       perf_uprobe_init+0x165/0x200 kernel/trace/trace_event_perf.c:330
       perf_uprobe_event_init+0xf8/0x190 kernel/events/core.c:8613
       perf_try_init_event+0x124/0x2e0 kernel/events/core.c:9884
       perf_init_event kernel/events/core.c:9915 [inline]
       perf_event_alloc.part.0+0x1b16/0x2eb0 kernel/events/core.c:10189
       perf_event_alloc kernel/events/core.c:10559 [inline]
       __do_sys_perf_event_open kernel/events/core.c:10660 [inline]
       __se_sys_perf_event_open+0x550/0x2720 kernel/events/core.c:10549
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&uprobe->register_rwsem){+.+.}:
       __uprobe_register kernel/events/uprobes.c:925 [inline]
       uprobe_register+0x34b/0x730 kernel/events/uprobes.c:944
       probe_event_enable+0x425/0xbb0 kernel/trace/trace_uprobe.c:915
       trace_uprobe_register+0x2d8/0x790 kernel/trace/trace_uprobe.c:1200
       perf_trace_event_reg kernel/trace/trace_event_perf.c:124 [inline]
       perf_trace_event_init+0x4c1/0x920 kernel/trace/trace_event_perf.c:199
       perf_uprobe_init+0x165/0x200 kernel/trace/trace_event_perf.c:330
       perf_uprobe_event_init+0xf8/0x190 kernel/events/core.c:8613
       perf_try_init_event+0x124/0x2e0 kernel/events/core.c:9884
       perf_init_event kernel/events/core.c:9915 [inline]
       perf_event_alloc.part.0+0x1b16/0x2eb0 kernel/events/core.c:10189
       perf_event_alloc kernel/events/core.c:10559 [inline]
       __do_sys_perf_event_open kernel/events/core.c:10660 [inline]
       __se_sys_perf_event_open+0x550/0x2720 kernel/events/core.c:10549
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (event_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:938 [inline]
       __mutex_lock+0xd7/0x1200 kernel/locking/mutex.c:1083
       perf_trace_destroy+0x23/0xf0 kernel/trace/trace_event_perf.c:236
       _free_event+0x32c/0x1150 kernel/events/core.c:4484
       put_event kernel/events/core.c:4578 [inline]
       perf_mmap_close+0x6f6/0xea0 kernel/events/core.c:5582
       remove_vma+0xa9/0x170 mm/mmap.c:176
       remove_vma_list mm/mmap.c:2550 [inline]
       do_munmap+0x6f9/0xde0 mm/mmap.c:2786
       mmap_region+0x2a3/0x16b0 mm/mmap.c:1700
       do_mmap+0x8e8/0x1080 mm/mmap.c:1530
       do_mmap_pgoff include/linux/mm.h:2329 [inline]
       vm_mmap_pgoff+0x197/0x200 mm/util.c:357
       ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  event_mutex --> &dup_mmap_sem --> &mm->mmap_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_sem);
                               lock(&dup_mmap_sem);
                               lock(&mm->mmap_sem);
  lock(event_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.3/8263:
 #0: 0000000095196201 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x152/0x200 mm/util.c:355

stack backtrace:
CPU: 1 PID: 8263 Comm: syz-executor.3 Not tainted 4.19.201-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
 check_prev_add kernel/locking/lockdep.c:1866 [inline]
 check_prevs_add kernel/locking/lockdep.c:1979 [inline]
 validate_chain kernel/locking/lockdep.c:2420 [inline]
 __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
 __mutex_lock_common kernel/locking/mutex.c:938 [inline]
 __mutex_lock+0xd7/0x1200 kernel/locking/mutex.c:1083
 perf_trace_destroy+0x23/0xf0 kernel/trace/trace_event_perf.c:236
 _free_event+0x32c/0x1150 kernel/events/core.c:4484
 put_event kernel/events/core.c:4578 [inline]
 perf_mmap_close+0x6f6/0xea0 kernel/events/core.c:5582
 remove_vma+0xa9/0x170 mm/mmap.c:176
 remove_vma_list mm/mmap.c:2550 [inline]
 do_munmap+0x6f9/0xde0 mm/mmap.c:2786
 mmap_region+0x2a3/0x16b0 mm/mmap.c:1700
 do_mmap+0x8e8/0x1080 mm/mmap.c:1530
 do_mmap_pgoff include/linux/mm.h:2329 [inline]
 vm_mmap_pgoff+0x197/0x200 mm/util.c:357
 ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9d4dc31188 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 000000000056c0f0 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000
RBP: 00000000004bfcc4 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000011 R11: 0000000000000246 R12: 000000000056c0f0
R13: 00007ffdc237f84f R14: 00007f9d4dc31300 R15: 0000000000022000

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/08/04 20:12 linux-4.19.y 6ca2f514c578 b97d64c9 .config console log report info ci2-linux-4-19 possible deadlock in vm_mmap_pgoff
2021/07/05 21:28 linux-4.19.y 9f84340f012e 55aa55c2 .config console log report info ci2-linux-4-19 possible deadlock in vm_mmap_pgoff
2021/05/13 08:48 linux-4.19.y 3c8c23092588 ed7d41c5 .config console log report info ci2-linux-4-19 possible deadlock in vm_mmap_pgoff
2021/04/04 18:31 linux-4.19.y 2034d6f0838e 6a81331a .config console log report info ci2-linux-4-19 possible deadlock in vm_mmap_pgoff
* Struck through repros no longer work on HEAD.