syzbot

 sign-in | mailing list | source | docs
🐞 Open [984] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

possible deadlock in generic_file_write_iter

Status: fixed on 2017/11/28 03:36
Reported-by: syzbot+f99f3a0db9007f4f4e32db54229a240c4fe57c15@syzkaller.appspotmail.com
Fix commit: e319e1fbd9d4 block, locking/lockdep: Assign a lock_class per gendisk used for wait_for_completion()
First crash: 2419d, last: 2334d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in generic_file_write_iter (2) fs 182 2316d 2329d 0/26 closed as invalid on 2018/02/13 19:29
linux-4.19 possible deadlock in generic_file_write_iter 4 1410d 1418d 0/1 auto-closed as invalid on 2020/10/06 15:19
linux-4.19 possible deadlock in generic_file_write_iter (2) C error 453 449d 1018d 0/1 upstream: reported C repro on 2021/07/06 07:41
linux-4.14 possible deadlock in generic_file_write_iter (2) C 20 416d 848d 0/1 upstream: reported C repro on 2021/12/23 04:07
linux-4.14 possible deadlock in generic_file_write_iter 3 1415d 1489d 0/1 auto-closed as invalid on 2020/10/01 23:22

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
4.14.0-rc1+ #89 Not tainted
------------------------------------------------------
loop0/2992 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff81870b1c>] inode_lock include/linux/fs.h:712 [inline]
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff81870b1c>] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3161

but now in release context of a crosslock acquired at the following:
 ((complete)&ret.event){+.+.}, at: [<ffffffff822a839e>] submit_bio_wait+0x15e/0x200 block/bio.c:953

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 ((complete)&ret.event){+.+.}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       complete_acquire include/linux/completion.h:39 [inline]
       __wait_for_common kernel/sched/completion.c:108 [inline]
       wait_for_common_io kernel/sched/completion.c:128 [inline]
       wait_for_completion_io+0xc8/0x770 kernel/sched/completion.c:176
       submit_bio_wait+0x15e/0x200 block/bio.c:953
       blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370
       sb_issue_zeroout include/linux/blkdev.h:1367 [inline]
       ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1447
       ext4_run_li_request fs/ext4/super.c:2866 [inline]
       ext4_lazyinit_thread+0x81a/0xd40 fs/ext4/super.c:2960
       kthread+0x39c/0x470 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

-> #3 (&meta_group_info[i]->alloc_sem){++++}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       down_read+0x96/0x150 kernel/locking/rwsem.c:23
       __ext4_new_inode+0x26dc/0x4f00 fs/ext4/ialloc.c:1056
       ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118
       vfs_symlink+0x323/0x560 fs/namei.c:4115
       SYSC_symlinkat fs/namei.c:4142 [inline]
       SyS_symlinkat fs/namei.c:4122 [inline]
       SYSC_symlink fs/namei.c:4155 [inline]
       SyS_symlink+0x134/0x200 fs/namei.c:4153
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #2 (jbd2_handle){.+.+}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390
       jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444
       __ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80
       __ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline]
       ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5859
       __mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096
       generic_update_time+0x1b2/0x270 fs/inode.c:1649
       update_time fs/inode.c:1665 [inline]
       touch_atime+0x26d/0x2f0 fs/inode.c:1737
       file_accessed include/linux/fs.h:2061 [inline]
       ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:352
       call_mmap include/linux/fs.h:1775 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1690
       do_mmap+0x6a1/0xd50 mm/mmap.c:1468
       do_mmap_pgoff include/linux/mm.h:2150 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1518 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1476
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #1 (&mm->mmap_sem){++++}:
       check_prevs_add kernel/locking/lockdep.c:2020 [inline]
       validate_chain kernel/locking/lockdep.c:2469 [inline]
       __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
       __might_fault+0x13a/0x1d0 mm/memory.c:4502
       _copy_to_user+0x2c/0xc0 lib/usercopy.c:24
       copy_to_user include/linux/uaccess.h:154 [inline]
       filldir+0x1a7/0x320 fs/readdir.c:196
       dir_emit_dot include/linux/fs.h:3339 [inline]
       dir_emit_dots include/linux/fs.h:3350 [inline]
       dcache_readdir+0x12d/0x5e0 fs/libfs.c:192
       iterate_dir+0x4b2/0x5d0 fs/readdir.c:51
       SYSC_getdents fs/readdir.c:231 [inline]
       SyS_getdents+0x225/0x450 fs/readdir.c:212
       entry_SYSCALL_64_fastpath+0x1f/0xbe

-> #0 (&sb->s_type->i_mutex_key#9){++++}:
       down_write+0x87/0x120 kernel/locking/rwsem.c:53
       inode_lock include/linux/fs.h:712 [inline]
       generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3161
       call_write_iter include/linux/fs.h:1770 [inline]
       do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:673
       do_iter_write+0x15a/0x540 fs/read_write.c:952
       vfs_iter_write+0x77/0xb0 fs/read_write.c:965

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem --> (complete)&ret.event

 Possible unsafe locking scenario by crosslock:

       CPU0                    CPU1
       ----                    ----
  lock(&meta_group_info[i]->alloc_sem);
  lock((complete)&ret.event);
                               lock(&sb->s_type->i_mutex_key#9);
                               unlock((complete)&ret.event);

 *** DEADLOCK ***

1 lock held by loop0/2992:
 #0:  (&x->wait#14){..-.}, at: [<ffffffff815273f8>] complete+0x18/0x80 kernel/sched/completion.c:34

stack backtrace:
CPU: 1 PID: 2992 Comm: loop0 Not tainted 4.14.0-rc1+ #89
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259
 check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894
 commit_xhlock kernel/locking/lockdep.c:5015 [inline]
 commit_xhlocks kernel/locking/lockdep.c:5059 [inline]
 lock_commit_crosslock+0xe73/0x1d10 kernel/locking/lockdep.c:5098
 complete_release_commit include/linux/completion.h:49 [inline]
 complete+0x24/0x80 kernel/sched/completion.c:39
 submit_bio_wait_endio+0x9c/0xd0 block/bio.c:930
 bio_endio+0x2f8/0x8d0 block/bio.c:1843
 req_bio_endio block/blk-core.c:204 [inline]
 blk_update_request+0x2a6/0xe20 block/blk-core.c:2743
 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:463
 __blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
 loop_handle_cmd drivers/block/loop.c:1710 [inline]
 loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1719
 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Crashes (61506):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/18 05:09 upstream 0666f560b71b 96b8e399 .config console log report syz C ci-upstream-kasan-gce
2017/09/16 01:12 upstream b38923a068c1 96b8e399 .config console log report syz C ci-upstream-kasan-gce
2017/09/15 08:45 upstream 7a95bdb092c6 96b8e399 .config console log report syz C ci-upstream-kasan-gce
2017/09/13 15:51 upstream 6d8ef53e8b2f c12eb94a .config console log report syz C ci-upstream-kasan-gce
2017/09/21 17:43 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/21 16:12 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/21 12:20 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/19 09:00 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/18 04:41 linux-next fc2e8b1a47c1 2bab8ad8 .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/04 10:13 linux-next 9829d9f31f6c f400a0da .config console log report syz C ci-upstream-next-kasan-gce
2017/11/27 04:39 upstream bbecb1cfcca5 4bd70f88 .config console log report ci-upstream-kasan-gce
2017/11/27 02:47 upstream bbecb1cfcca5 4bd70f88 .config console log report ci-upstream-kasan-gce
2017/09/30 10:10 upstream 99637e4268ea c26ea367 .config console log report ci-upstream-kasan-gce
2017/09/25 11:55 upstream e19b205be43d c26ea367 .config console log report ci-upstream-kasan-gce
2017/09/23 17:50 upstream c65da8e22b1d c26ea367 .config console log report ci-upstream-kasan-gce
2017/09/18 12:29 upstream 0666f560b71b 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/18 11:18 upstream 0666f560b71b 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/17 22:21 upstream 0666f560b71b 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/16 04:26 upstream b38923a068c1 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/14 12:23 upstream 46c1e79fee41 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/11 13:40 upstream f007cad159e9 449b6f15 .config console log report ci-upstream-kasan-gce
2017/11/27 22:15 upstream 4fbd8d194f06 ac93d7e1 .config console log report ci-upstream-kasan-gce-386
2017/11/27 14:21 upstream 4fbd8d194f06 ac93d7e1 .config console log report ci-upstream-kasan-gce-386
2017/11/26 23:07 upstream 844056fd74eb 4bd70f88 .config console log report ci-upstream-kasan-gce-386
2017/11/26 13:18 upstream 844056fd74eb 4bd70f88 .config console log report ci-upstream-kasan-gce-386
2017/11/26 02:10 upstream 844056fd74eb 4bd70f88 .config console log report ci-upstream-kasan-gce-386
2017/11/25 18:25 upstream 7753ea096408 4bd70f88 .config console log report ci-upstream-kasan-gce-386
2017/11/25 16:58 upstream 7753ea096408 4bd70f88 .config console log report ci-upstream-kasan-gce-386
2017/11/24 12:55 net-next-old 1d3b78bbc6e9 deb5f6ae .config console log report ci-upstream-kasan-gce-386
2017/11/24 10:32 net-next-old 1d3b78bbc6e9 deb5f6ae .config console log report ci-upstream-kasan-gce-386
2017/11/24 05:17 upstream 5a787756b809 cb27b030 .config console log report ci-upstream-kasan-gce-386
2017/11/24 02:48 upstream 5a787756b809 cb27b030 .config console log report ci-upstream-kasan-gce-386
2017/11/23 22:56 upstream 5a787756b809 cb27b030 .config console log report ci-upstream-kasan-gce-386
2017/11/23 12:06 upstream 5a787756b809 cb27b030 .config console log report ci-upstream-kasan-gce-386
2017/11/23 03:43 net-next-old 0c86a6bd85ff ddf7b3e0 .config console log report ci-upstream-kasan-gce-386
2017/10/12 05:21 upstream 56ae414e9d27 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/05 11:59 upstream 42b76d0e6b1f c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/01 04:29 upstream a8c964eacb21 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/09/26 23:22 upstream e365806ac289 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/11/24 23:32 net-next-old 1d3b78bbc6e9 deb5f6ae .config console log report ci-upstream-net-kasan-gce
2017/09/17 12:18 net-next-old 2bd6bf03f4c1 96b8e399 .config console log report ci-upstream-net-kasan-gce
2017/11/22 22:50 linux-next 1efc584c7106 31af2ce0 .config console log report ci-upstream-next-kasan-gce
2017/11/22 14:20 linux-next 1efc584c7106 31af2ce0 .config console log report ci-upstream-next-kasan-gce
2017/11/22 13:25 linux-next 1efc584c7106 31af2ce0 .config console log report ci-upstream-next-kasan-gce
2017/10/14 22:44 linux-next 49827b977a2e 441d64d9 .config console log report ci-upstream-next-kasan-gce
2017/10/08 11:43 mmots fb686cb13e51 c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/10/08 05:16 mmots fb686cb13e51 c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/10/04 01:00 mmots 9af872441677 c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/24 11:21 mmots 720bbe532b7c c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/18 20:30 mmots 720bbe532b7c c26ea367 .config console log report ci-upstream-mmots-kasan-gce
* Struck through repros no longer work on HEAD.