syzbot


possible deadlock in mon_bin_vma_fault

Status: fixed on 2020/01/15 15:23
Reported-by: syzbot+762c17ca3bcdb87f6d8e@syzkaller.appspotmail.com
Fix commit: 3757e3818838 usb: mon: Fix a deadlock in usbmon between mmap and read
First crash: 1813d, last: 1564d
Fix bisection: fixed by (bisect log) :
commit 3757e3818838828f969ea51bea9b0e4ba948575e
Author: Pete Zaitcev <zaitcev@redhat.com>
Date: Thu Dec 5 02:39:41 2019 +0000

  usb: mon: Fix a deadlock in usbmon between mmap and read

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in mon_bin_vma_fault C done 11427 1566d 2032d 15/26 fixed on 2020/02/14 01:19
linux-4.14 possible deadlock in mon_bin_vma_fault C done 282 1572d 1807d 1/1 fixed on 2020/01/07 21:27

Sample crash report:
audit: type=1400 audit(1571350131.470:36): avc:  denied  { map } for  pid=7496 comm="syz-executor086" path="/root/syz-executor086820530" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1571350131.550:37): avc:  denied  { map } for  pid=7497 comm="syz-executor086" path="/dev/usbmon4" dev="devtmpfs" ino=16585 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.19.80 #0 Not tainted
------------------------------------------------------
syz-executor086/7499 is trying to acquire lock:
00000000dcef28b1 (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237

but task is already holding lock:
00000000fc161845 (&mm->mmap_sem){++++}, at: __mm_populate+0x270/0x380 mm/gup.c:1262

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&mm->mmap_sem){++++}:
       __might_fault mm/memory.c:4638 [inline]
       __might_fault+0x15e/0x1e0 mm/memory.c:4623
       _copy_to_user+0x30/0x120 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       mon_bin_read+0x329/0x640 drivers/usb/mon/mon_bin.c:825
       __vfs_read+0x114/0x800 fs/read_write.c:416
       vfs_read+0x194/0x3d0 fs/read_write.c:452
       ksys_read+0x14f/0x2d0 fs/read_write.c:579
       __do_sys_read fs/read_write.c:589 [inline]
       __se_sys_read fs/read_write.c:587 [inline]
       __x64_sys_read+0x73/0xb0 fs/read_write.c:587
       do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&rp->fetch_lock){+.+.}:
       lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
       mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
       __do_fault+0x111/0x480 mm/memory.c:3269
       do_read_fault mm/memory.c:3681 [inline]
       do_fault mm/memory.c:3810 [inline]
       handle_pte_fault mm/memory.c:4041 [inline]
       __handle_mm_fault+0x2d78/0x3f80 mm/memory.c:4165
       handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
       faultin_page mm/gup.c:530 [inline]
       __get_user_pages+0x609/0x17a0 mm/gup.c:730
       populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1234
       __mm_populate+0x204/0x380 mm/gup.c:1282
       mm_populate include/linux/mm.h:2328 [inline]
       vm_mmap_pgoff+0x213/0x230 mm/util.c:362
       ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1586
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
       __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_sem);
                               lock(&rp->fetch_lock);
                               lock(&mm->mmap_sem);
  lock(&rp->fetch_lock);

 *** DEADLOCK ***

1 lock held by syz-executor086/7499:
 #0: 00000000fc161845 (&mm->mmap_sem){++++}, at: __mm_populate+0x270/0x380 mm/gup.c:1262

stack backtrace:
CPU: 1 PID: 7499 Comm: syz-executor086 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1861 [inline]
 check_prevs_add kernel/locking/lockdep.c:1974 [inline]
 validate_chain kernel/locking/lockdep.c:2415 [inline]
 __lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
 __mutex_lock_common kernel/locking/mutex.c:925 [inline]
 __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
 mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
 __do_fault+0x111/0x480 mm/memory.c:3269
 do_read_fault mm/memory.c:3681 [inline]
 do_fault mm/memory.c:3810 [inline]
 handle_pte_fault mm/memory.c:4041 [inline]
 __handle_mm_fault+0x2d78/0x3f80 mm/memory.c:4165
 handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
 faultin_page mm/gup.c:530 [inline]
 __get_user_pages+0x609/0x17a0 mm/gup.c:730
 populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1234
 __mm_populate+0x204/0x380 mm/gup.c:1282
 mm_populate include/linux/mm.h:2328 [inline]
 vm_mmap_pgoff+0x213/0x230 mm/util.c:362
 ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1586
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44a689
Code: e8 8c b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5860a74cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a689
RDX: 0000000002000001 RSI: 0000000002000000 RDI: 0000000020ffd000
RBP: 00000000006dbc30 R08: 0000000000000005 R09: 0000000000000000
R10: 03eb6b06d1207692 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007fff88eb4f2f R14: 00007f5860a759c0 R15: 20c49ba5e353f7cf

Crashes (375):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/17 22:13 linux-4.19.y c3038e718a19 8c88c9c1 .config console log report syz C ci2-linux-4-19
2019/10/17 09:05 linux-4.19.y dafd634415a7 8c88c9c1 .config console log report syz C ci2-linux-4-19
2019/10/16 21:23 linux-4.19.y dafd634415a7 8c88c9c1 .config console log report syz C ci2-linux-4-19
2019/07/03 14:19 linux-4.19.y 1a0592436669 55565fa0 .config console log report syz C ci2-linux-4-19
2019/04/19 04:26 linux-4.19.y 4b0e041c9dad b0e8efcb .config console log report syz C ci2-linux-4-19
2019/12/16 10:59 linux-4.19.y 312017a460d5 0ae38e44 .config console log report ci2-linux-4-19
2019/12/16 06:03 linux-4.19.y 312017a460d5 eef6e580 .config console log report ci2-linux-4-19
2019/12/16 04:28 linux-4.19.y 312017a460d5 eef6e580 .config console log report ci2-linux-4-19
2019/12/15 18:48 linux-4.19.y 312017a460d5 eef6e580 .config console log report ci2-linux-4-19
2019/12/15 13:00 linux-4.19.y 312017a460d5 eef6e580 .config console log report ci2-linux-4-19
2019/12/14 07:33 linux-4.19.y 312017a460d5 eef6e580 .config console log report ci2-linux-4-19
2019/12/13 06:50 linux-4.19.y fb683b5e3f53 2a752b7c .config console log report ci2-linux-4-19
2019/12/12 19:03 linux-4.19.y fb683b5e3f53 08003f64 .config console log report ci2-linux-4-19
2019/12/12 06:04 linux-4.19.y fb683b5e3f53 d973f528 .config console log report ci2-linux-4-19
2019/12/10 05:02 linux-4.19.y fb683b5e3f53 4b83c8fb .config console log report ci2-linux-4-19
2019/12/09 13:45 linux-4.19.y fb683b5e3f53 b31eda3d .config console log report ci2-linux-4-19
2019/12/09 10:33 linux-4.19.y fb683b5e3f53 1508f453 .config console log report ci2-linux-4-19
2019/12/07 20:50 linux-4.19.y fb683b5e3f53 1508f453 .config console log report ci2-linux-4-19
2019/12/07 19:53 linux-4.19.y fb683b5e3f53 1508f453 .config console log report ci2-linux-4-19
2019/12/06 11:39 linux-4.19.y fb683b5e3f53 12c3b6cd .config console log report ci2-linux-4-19
2019/12/05 12:13 linux-4.19.y fb683b5e3f53 9fd5a512 .config console log report ci2-linux-4-19
2019/12/05 11:01 linux-4.19.y fb683b5e3f53 9fd5a512 .config console log report ci2-linux-4-19
2019/12/04 21:16 linux-4.19.y 174651bdf802 b2088328 .config console log report ci2-linux-4-19
2019/12/04 09:42 linux-4.19.y 174651bdf802 0ecb9746 .config console log report ci2-linux-4-19
2019/12/03 20:07 linux-4.19.y 174651bdf802 0ecb9746 .config console log report ci2-linux-4-19
2019/11/30 19:55 linux-4.19.y 14260788bbb9 3a75be00 .config console log report ci2-linux-4-19
2019/11/30 01:35 linux-4.19.y 14260788bbb9 3a75be00 .config console log report ci2-linux-4-19
2019/11/29 11:45 linux-4.19.y 14260788bbb9 4f7e1d0f .config console log report ci2-linux-4-19
2019/11/28 22:29 linux-4.19.y 14260788bbb9 76357d6f .config console log report ci2-linux-4-19
2019/11/28 10:19 linux-4.19.y 14260788bbb9 97264cb1 .config console log report ci2-linux-4-19
2019/11/26 08:41 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/25 23:40 linux-4.19.y 14260788bbb9 598ca6c8 .config console log report ci2-linux-4-19
2019/11/23 16:31 linux-4.19.y c63ee2939dc1 598ca6c8 .config console log report ci2-linux-4-19
2019/11/22 11:51 linux-4.19.y c63ee2939dc1 598ca6c8 .config console log report ci2-linux-4-19
2019/11/22 09:05 linux-4.19.y c63ee2939dc1 8098ea0f .config console log report ci2-linux-4-19
2019/11/22 01:45 linux-4.19.y c63ee2939dc1 8098ea0f .config console log report ci2-linux-4-19
2019/11/20 18:53 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/20 04:47 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/19 09:22 linux-4.19.y c555efaf1402 432c7650 .config console log report ci2-linux-4-19
2019/11/18 21:08 linux-4.19.y c555efaf1402 d5696d51 .config console log report ci2-linux-4-19
2019/11/18 19:43 linux-4.19.y c555efaf1402 d5696d51 .config console log report ci2-linux-4-19
2019/11/18 11:35 linux-4.19.y c555efaf1402 d5696d51 .config console log report ci2-linux-4-19
2019/11/15 04:04 linux-4.19.y c555efaf1402 048f2d49 .config console log report ci2-linux-4-19
2019/11/12 17:27 linux-4.19.y 7d8dbefc22ff 048f2d49 .config console log report ci2-linux-4-19
2019/11/11 16:58 linux-4.19.y 7d8dbefc22ff 377d77fa .config console log report ci2-linux-4-19
2019/11/11 14:12 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/11 07:15 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/11 02:03 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/10 16:52 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/11/09 23:13 linux-4.19.y 5ee93551c703 dc438b91 .config console log report ci2-linux-4-19
2019/04/11 02:12 linux-4.19.y 4d552acf3370 e955ac50 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.