syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

possible deadlock in shmem_fallocate

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+ac021b56d1e4404041c2@syzkaller.appspotmail.com
First crash: 2065d, last: 1605d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in shmem_fallocate (2) 2 1440d 1508d 0/1 auto-closed as invalid on 2020/09/14 02:25
upstream possible deadlock in shmem_fallocate mm 8087 2381d 2425d 0/26 closed as invalid on 2017/11/05 09:38
linux-4.19 possible deadlock in shmem_fallocate 1 1729d 1729d 0/1 auto-closed as invalid on 2019/11/29 05:22
android-49 possible deadlock in shmem_fallocate C 2441 1604d 1841d 0/3 public: reported C repro on 2019/04/11 08:44
upstream possible deadlock in shmem_fallocate (3) mm 1 1694d 1690d 0/26 auto-closed as invalid on 2019/11/05 02:34
upstream possible deadlock in shmem_fallocate (4) mm C done 81 1367d 1582d 15/26 fixed on 2020/09/16 22:51
upstream possible deadlock in shmem_fallocate (2) mm C 1325 1877d 2085d 11/26 fixed on 2019/03/28 12:00

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)

======================================================
WARNING: possible circular locking dependency detected
4.14.67+ #1 Not tainted
------------------------------------------------------
syz-executor947/1975 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#11){++++}, at: [<ffffffffb688a759>] inode_lock include/linux/fs.h:713 [inline]
 (&sb->s_type->i_mutex_key#11){++++}, at: [<ffffffffb688a759>] shmem_fallocate+0x149/0xb20 mm/shmem.c:2850

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<ffffffffb75ec9b2>] ashmem_shrink_scan+0x52/0x4e0 drivers/staging/android/ashmem.c:440

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
       ashmem_mmap+0x4c/0x3b0 drivers/staging/android/ashmem.c:369
       call_mmap include/linux/fs.h:1787 [inline]
       mmap_region+0x836/0xfb0 mm/mmap.c:1731
       do_mmap+0x551/0xb80 mm/mmap.c:1509
       do_mmap_pgoff include/linux/mm.h:2167 [inline]
       vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
       SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&mm->mmap_sem){++++}:
       __might_fault+0x137/0x1b0 mm/memory.c:4519
       _copy_to_user+0x27/0xc0 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       filldir+0x192/0x340 fs/readdir.c:197
       dir_emit_dot include/linux/fs.h:3380 [inline]
       dir_emit_dots include/linux/fs.h:3391 [inline]
       dcache_readdir+0x12f/0x5d0 fs/libfs.c:192
       iterate_dir+0x19f/0x5e0 fs/readdir.c:52
       SYSC_getdents fs/readdir.c:232 [inline]
       SyS_getdents+0x146/0x270 fs/readdir.c:213
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sb->s_type->i_mutex_key#11){++++}:
       lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:713 [inline]
       shmem_fallocate+0x149/0xb20 mm/shmem.c:2850
       ashmem_shrink_scan+0x1b6/0x4e0 drivers/staging/android/ashmem.c:447
       ashmem_ioctl+0x2cc/0xe20 drivers/staging/android/ashmem.c:789
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
       do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#11);

 *** DEADLOCK ***

1 lock held by syz-executor947/1975:
 #0:  (ashmem_mutex){+.+.}, at: [<ffffffffb75ec9b2>] ashmem_shrink_scan+0x52/0x4e0 drivers/staging/android/ashmem.c:440

stack backtrace:
CPU: 0 PID: 1975 Comm: syz-executor947 Not tainted 4.14.67+ #1
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_circular_bug.isra.18.cold.43+0x2d3/0x40c kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2ff9/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x10f/0x380 kernel/locking/lockdep.c:3991
 down_write+0x34/0x90 kernel/locking/rwsem.c:54
 inode_lock include/linux/fs.h:713 [inline]
 shmem_fallocate+0x149/0xb20 mm/shmem.c:2850
 ashmem_shrink_scan+0x1b6/0x4e0 drivers/staging/android/ashmem.c:447
 ashmem_ioctl+0x2cc/0xe20 drivers/staging/android/ashmem.c:789
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0

Crashes (7876):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/31 02:23 android-4.14 47350a9f13c6 938220fd .config console log report syz C ci-android-414-kasan-gce-root
2018/11/05 19:39 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report syz ci-android-414-kasan-gce-root
2019/12/04 03:35 android-4.14 b7f8d9ba4f3e ae13a849 .config console log report ci-android-414-kasan-gce-root
2019/12/03 15:17 android-4.14 e6b1fb0e83b2 ab342da3 .config console log report ci-android-414-kasan-gce-root
2019/12/02 19:31 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 17:55 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/12/02 04:44 android-4.14 13855a652bd5 f879db37 .config console log report ci-android-414-kasan-gce-root
2019/11/29 16:56 android-4.14 714ada7cabc7 d29b9e84 .config console log report ci-android-414-kasan-gce-root
2019/11/27 18:23 android-4.14 f9b4ab5c8e99 0d63f89c .config console log report ci-android-414-kasan-gce-root
2019/11/27 00:29 android-4.14 f9b4ab5c8e99 1048481f .config console log report ci-android-414-kasan-gce-root
2019/11/26 11:48 android-4.14 f9b4ab5c8e99 f746151a .config console log report ci-android-414-kasan-gce-root
2019/11/26 07:01 android-4.14 f9b4ab5c8e99 f746151a .config console log report ci-android-414-kasan-gce-root
2019/11/25 04:36 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/24 19:37 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/24 13:39 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/24 07:25 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/24 05:42 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/24 01:58 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/23 21:23 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/23 03:33 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/23 01:55 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 21:22 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 18:35 android-4.14 7bc77fd33905 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 12:46 android-4.14 7bc77fd33905 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 07:10 android-4.14 7bc77fd33905 8098ea0f .config console log report ci-android-414-kasan-gce-root
2019/11/22 05:38 android-4.14 7bc77fd33905 8098ea0f .config console log report ci-android-414-kasan-gce-root
2019/11/19 05:31 android-4.14 460dc7c31cef 5bc70212 .config console log report ci-android-414-kasan-gce-root
2019/11/18 18:35 android-4.14 460dc7c31cef 1daed50a .config console log report ci-android-414-kasan-gce-root
2019/11/18 09:12 android-4.14 460dc7c31cef d5696d51 .config console log report ci-android-414-kasan-gce-root
2019/11/14 14:55 android-4.14 babe48d2e987 5d15a967 .config console log report ci-android-414-kasan-gce-root
2019/11/13 19:53 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 19:04 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 17:44 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 16:07 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 14:52 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 12:52 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 07:17 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/13 04:40 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/12 23:17 android-4.14 0ac69147fd8c 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/12 09:18 android-4.14 10e570bfc15a 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/12 03:32 android-4.14 10e570bfc15a 048f2d49 .config console log report ci-android-414-kasan-gce-root
2019/11/09 02:47 android-4.14 81144e705f48 dc438b91 .config console log report ci-android-414-kasan-gce-root
2019/11/07 17:17 android-4.14 6e5cc2351dea d797d201 .config console log report ci-android-414-kasan-gce-root
2019/11/05 21:59 android-4.14 6409e7e01d11 0f3ec414 .config console log report ci-android-414-kasan-gce-root
2019/11/05 19:55 android-4.14 6409e7e01d11 0f3ec414 .config console log report ci-android-414-kasan-gce-root
2019/11/05 12:54 android-4.14 6409e7e01d11 0f3ec414 .config console log report ci-android-414-kasan-gce-root
2019/11/05 01:42 android-4.14 6409e7e01d11 76630fc9 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.