syzbot


possible deadlock in mm_access

Status: auto-closed as invalid on 2020/03/25 07:19
Reported-by: syzbot+0d014be916d18c349d99@syzkaller.appspotmail.com
First crash: 1837d, last: 1824d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 possible deadlock in mm_access 4 2090d 2050d 0/2 auto-closed as invalid on 2019/09/01 09:58

Sample crash report:
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #1 Not tainted
-------------------------------------------------------
syz-executor.2/3659 is trying to acquire lock:
 (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff810d2941>] mm_access+0x51/0x140 kernel/fork.c:1028
but task is already holding lock:
 (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] inode_lock_shared include/linux/fs.h:776 [inline]
 (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] lookup_slow+0x154/0x470 fs/namei.c:1645
which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       down_read+0x44/0xb0 kernel/locking/rwsem.c:22
       inode_lock_shared include/linux/fs.h:776 [inline]
       do_last fs/namei.c:3314 [inline]
       path_openat+0x1309/0x2790 fs/namei.c:3534
       do_filp_open+0x197/0x270 fs/namei.c:3568
       do_open_execat+0x10f/0x640 fs/exec.c:844
       open_exec+0x43/0x60 fs/exec.c:876
       load_script+0x5a4/0x740 fs/binfmt_script.c:100
       search_binary_handler+0x14f/0x6f0 fs/exec.c:1621
       exec_binprm fs/exec.c:1663 [inline]
       do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785
       do_execveat fs/exec.c:1840 [inline]
       SYSC_execveat fs/exec.c:1921 [inline]
       SyS_execveat+0x55/0x70 fs/exec.c:1913
       do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641
       mm_access+0x51/0x140 kernel/fork.c:1028
       map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933
       d_revalidate fs/namei.c:789 [inline]
       lookup_slow+0x361/0x470 fs/namei.c:1656
       walk_component+0x822/0xcf0 fs/namei.c:1784
       lookup_last fs/namei.c:2266 [inline]
       path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283
       filename_lookup.part.18+0x177/0x370 fs/namei.c:2317
       filename_lookup fs/namei.c:2310 [inline]
       user_path_at_empty+0x53/0x70 fs/namei.c:2578
       user_path_at include/linux/namei.h:55 [inline]
       SYSC_quotactl fs/quota/quota.c:862 [inline]
       SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834
       do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key);
                               lock(&sig->cred_guard_mutex);
                               lock(&sb->s_type->i_mutex_key);
  lock(&sig->cred_guard_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.2/3659:
 #0:  (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] inode_lock_shared include/linux/fs.h:776 [inline]
 #0:  (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] lookup_slow+0x154/0x470 fs/namei.c:1645

stack backtrace:
CPU: 0 PID: 3659 Comm: syz-executor.2 Not tainted 4.9.141+ #1
 ffff8800a0bef388 ffffffff81b42e79 ffffffff83ca2fd0 ffffffff83c73360
 ffffffff83ca2fd0 ffff88015e8ab850 ffff88015e8aaf80 ffff8800a0bef3d0
 ffffffff813fee40 0000000000000001 000000005e8ab830 0000000000000001
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202
 [<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
 [<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff8280c45c>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8280c45c>] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641
 [<ffffffff810d2941>] mm_access+0x51/0x140 kernel/fork.c:1028
 [<ffffffff81666cb6>] map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933
 [<ffffffff8152a841>] d_revalidate fs/namei.c:789 [inline]
 [<ffffffff8152a841>] lookup_slow+0x361/0x470 fs/namei.c:1656
 [<ffffffff81539cf2>] walk_component+0x822/0xcf0 fs/namei.c:1784
 [<ffffffff8153b6b6>] lookup_last fs/namei.c:2266 [inline]
 [<ffffffff8153b6b6>] path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283
 [<ffffffff8153f697>] filename_lookup.part.18+0x177/0x370 fs/namei.c:2317
 [<ffffffff8153fa53>] filename_lookup fs/namei.c:2310 [inline]
 [<ffffffff8153fa53>] user_path_at_empty+0x53/0x70 fs/namei.c:2578
 [<ffffffff81654594>] user_path_at include/linux/namei.h:55 [inline]
 [<ffffffff81654594>] SYSC_quotactl fs/quota/quota.c:862 [inline]
 [<ffffffff81654594>] SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=3759 comm=syz-executor.4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=32784 sclass=netlink_route_socket pig=3759 comm=syz-executor.4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
audit: type=1400 audit(1574649326.221:522): avc:  denied  { net_broadcast } for  pid=3823 comm="syz-executor.5" capability=11  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): sit13: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): sit14: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vti10: link becomes ready
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
input: syz1 as /devices/virtual/input/input306
input: syz1 as /devices/virtual/input/input307
audit: type=1400 audit(1574649327.461:523): avc:  denied  { associate } for  pid=3906 comm="syz-executor.3" name=7374617409C0D2FEBCF9DF2DEAC8C177FF179C58371248E91193513049F831550D6F7DE66CF6783F9DB5116B34D31B0512A5608AAFF01E7952340CD6FD scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
syz-executor.1: [ 1640.883119] tc_dump_action: action bad kind
vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 0 PID: 3947 Comm: syz-executor.1 Not tainted 4.9.141+ #1
 ffff8800b99f78a0 ffffffff81b42e79 1ffff1001733ef16 ffff8801d3304740
 ffffffff82aa8c00 0000000000000001 0000000000400000 ffff8800b99f79e8
 ffffffff814fc7c8 0000000041b58ab3 ffffffff82e37a10 ffffffff81427db0
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814fc7c8>] warn_alloc.cold.31+0x7f/0x9c mm/page_alloc.c:3068
 [<ffffffff814c9f8e>] __vmalloc_node_range+0x35e/0x600 mm/vmalloc.c:1723
 [<ffffffff814ca71b>] __vmalloc_node mm/vmalloc.c:1745 [inline]
 [<ffffffff814ca71b>] __vmalloc_node_flags mm/vmalloc.c:1759 [inline]
 [<ffffffff814ca71b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1774
 [<ffffffff81a122d5>] sel_write_load+0x135/0xfa0 security/selinux/selinuxfs.c:514
 [<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
 [<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
 [<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
 [<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Mem-Info:
active_anon:951884 inactive_anon:99621 isolated_anon:0
 active_file:5292 inactive_file:41309 isolated_file:0
 unevictable:6 dirty:361 writeback:0 unstable:0
 slab_reclaimable:8217 slab_unreclaimable:88143
 mapped:85690 shmem:152001 pagetables:23939 bounce:0
 free:350262 free_pcp:415 free_cma:0
Node 0 active_anon:3807536kB inactive_anon:398484kB active_file:21168kB inactive_file:165236kB unevictable:24kB isolated(anon):0kB isolated(file):0kB mapped:342760kB dirty:1444kB writeback:0kB shmem:608004kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA32 free:1391916kB min:4696kB low:7712kB high:10728kB active_anon:1213904kB inactive_anon:104164kB active_file:252kB inactive_file:72088kB unevictable:24kB writepending:104kB present:3145324kB managed:3020132kB mlocked:24kB slab_reclaimable:6464kB slab_unreclaimable:179112kB kernel_stack:11488kB pagetables:18752kB bounce:0kB free_pcp:860kB local_pcp:204kB free_cma:0kB
Normal free:9132kB min:5580kB low:9168kB high:12756kB active_anon:2593532kB inactive_anon:294320kB active_file:20916kB inactive_file:93148kB unevictable:0kB writepending:1340kB present:4718592kB managed:3589312kB mlocked:0kB slab_reclaimable:26404kB slab_unreclaimable:173460kB kernel_stack:24768kB pagetables:77004kB bounce:0kB free_pcp:800kB local_pcp:424kB free_cma:0kB
DMA32: 678*4kB (U) 813*8kB (UM) 619*16kB (UME) 370*32kB (UME) 161*64kB (UME) 188*128kB (UM) 59*256kB (UM) 57*512kB (UM) 46*1024kB (UM) 29*2048kB (UM) 287*4096kB (UM) = 1391664kB
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313618 pages reserved
syz-executor.1: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 1 PID: 3955 Comm: syz-executor.1 Not tainted 4.9.141+ #1
 ffff8800b69378a0 ffffffff81b42e79 1ffff10016d26f16 ffff8800a9785f00
 ffffffff82aa8c00 0000000000000001 0000000000400000 ffff8800b69379e8
 ffffffff814fc7c8 0000000041b58ab3 ffffffff82e37a10 ffffffff81427db0
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814fc7c8>] warn_alloc.cold.31+0x7f/0x9c mm/page_alloc.c:3068
 [<ffffffff814c9f8e>] __vmalloc_node_range+0x35e/0x600 mm/vmalloc.c:1723
 [<ffffffff814ca71b>] __vmalloc_node mm/vmalloc.c:1745 [inline]
 [<ffffffff814ca71b>] __vmalloc_node_flags mm/vmalloc.c:1759 [inline]
 [<ffffffff814ca71b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1774
 [<ffffffff81a122d5>] sel_write_load+0x135/0xfa0 security/selinux/selinuxfs.c:514
 [<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
 [<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
 [<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
 [<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Mem-Info:
active_anon:951909 inactive_anon:99621 isolated_anon:0
 active_file:5292 inactive_file:41309 isolated_file:0
 unevictable:6 dirty:361 writeback:0 unstable:0
 slab_reclaimable:8217 slab_unreclaimable:88175
 mapped:85690 shmem:152001 pagetables:23939 bounce:0
 free:350199 free_pcp:411 free_cma:0
Node 0 active_anon:3807636kB inactive_anon:398484kB active_file:21168kB inactive_file:165236kB unevictable:24kB isolated(anon):0kB isolated(file):0kB mapped:342760kB dirty:1444kB writeback:0kB shmem:608004kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA32 free:1391664kB min:4696kB low:7712kB high:10728kB active_anon:1214104kB inactive_anon:104164kB active_file:252kB inactive_file:72088kB unevictable:24kB writepending:104kB present:3145324kB managed:3020132kB mlocked:24kB slab_reclaimable:6464kB slab_unreclaimable:179240kB kernel_stack:11456kB pagetables:18752kB bounce:0kB free_pcp:844kB local_pcp:652kB free_cma:0kB
Normal free:9132kB min:5580kB low:9168kB high:12756kB active_anon:2593532kB inactive_anon:294320kB active_file:20916kB inactive_file:93148kB unevictable:0kB writepending:1340kB present:4718592kB managed:3589312kB mlocked:0kB slab_reclaimable:26404kB slab_unreclaimable:173460kB kernel_stack:24768kB pagetables:77004kB bounce:0kB free_pcp:800kB local_pcp:376kB free_cma:0kB
DMA32: 678*4kB (U) 813*8kB (UM) 619*16kB (UME) 371*32kB (UME) 161*64kB (UME) 188*128kB (UM) 59*256kB (UM) 57*512kB (UM) 46*1024kB (UM) 29*2048kB (UM) 287*4096kB (UM) = 1391696kB
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313618 pages reserved
device lo entered promiscuous mode
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.
binder: 3996:4005 got transaction to invalid handle
binder: 3996:4005 transaction failed 29201/-22, size 96-24 line 3013
audit: type=1400 audit(1574649332.311:524): avc:  denied  { call } for  pid=3996 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: 3996:4005 BC_FREE_BUFFER u0000000020ffc000 no match
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 357, process died.
audit: type=1400 audit(1574649332.621:525): avc:  denied  { connect } for  pid=4043 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
input: syz1 as /devices/virtual/input/input311
input: syz1 as /devices/virtual/input/input312

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/25 02:35 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 598ca6c8 .config console log report ci-android-49-kasan-gce
2019/11/22 05:35 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 8098ea0f .config console log report ci-android-49-kasan-gce
2019/11/21 06:40 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 8098ea0f .config console log report ci-android-49-kasan-gce
2019/11/16 03:17 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 cdac920b .config console log report ci-android-49-kasan-gce
2019/11/13 06:35 https://android.googlesource.com/kernel/common android-4.9 7fe05eede1c8 048f2d49 .config console log report ci-android-49-kasan-gce-root
2019/11/26 07:18 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 f746151a .config console log report ci-android-49-kasan-gce-386
2019/11/14 08:20 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 048f2d49 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.