bisecting fixing commit since dafd634415a7f9892a6fcc99c540fe567ab42c92 building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114 testing commit dafd634415a7f9892a6fcc99c540fe567ab42c92 with gcc (GCC) 8.1.0 kernel signature: 7c35a353f87de4f35d19079737b2c158fa74d047 all runs: crashed: possible deadlock in __might_fault testing current HEAD dc4ba5be1babd3b3ec905751a30df89a5899a7a9 testing commit dc4ba5be1babd3b3ec905751a30df89a5899a7a9 with gcc (GCC) 8.1.0 kernel signature: 252a562b10ef5385477093a5e2544d6300e99a00 all runs: OK # git bisect start dc4ba5be1babd3b3ec905751a30df89a5899a7a9 dafd634415a7f9892a6fcc99c540fe567ab42c92 Bisecting: 1481 revisions left to test after this (roughly 11 steps) [046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a] ocfs2: remove ocfs2_is_o2cb_active() testing commit 046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a with gcc (GCC) 8.1.0 kernel signature: d4475a679e690b2b18edc999f696bac30f190464 all runs: crashed: possible deadlock in __might_fault # git bisect good 046f0fcf7397fa0b6c7925d1f4fd3fe69af2278a Bisecting: 740 revisions left to test after this (roughly 10 steps) [79bee5a380342b48d0ce177cb2fb75ef6eeeb1a2] powerpc: Fix vDSO clock_getres() testing commit 79bee5a380342b48d0ce177cb2fb75ef6eeeb1a2 with gcc (GCC) 8.1.0 kernel signature: 9f96a014cfce0080bd67c60de7664c1633a6e077 all runs: OK # git bisect bad 79bee5a380342b48d0ce177cb2fb75ef6eeeb1a2 Bisecting: 370 revisions left to test after this (roughly 9 steps) [65e5e9913161e3c0d61528b6a1745e568635d94e] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN testing commit 65e5e9913161e3c0d61528b6a1745e568635d94e with gcc (GCC) 8.1.0 kernel signature: 553b418c1a4c2db338a49a32990155073c7cd936 all runs: crashed: possible deadlock in __might_fault # git bisect good 65e5e9913161e3c0d61528b6a1745e568635d94e Bisecting: 185 revisions left to test after this (roughly 8 steps) [3bf78033c0441691cf1ba250a4020043ee5069d9] ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC testing commit 3bf78033c0441691cf1ba250a4020043ee5069d9 with gcc (GCC) 8.1.0 kernel signature: 42fec776d1d2a7045c592921606559ec4c1ff388 all runs: crashed: possible deadlock in __might_fault # git bisect good 3bf78033c0441691cf1ba250a4020043ee5069d9 Bisecting: 92 revisions left to test after this (roughly 7 steps) [6e3b9068b863716bd4dfcff530055a042ad39d52] btrfs: check page->mapping when loading free space cache testing commit 6e3b9068b863716bd4dfcff530055a042ad39d52 with gcc (GCC) 8.1.0 kernel signature: 9521c500361c7816c6a801b16c5897f9b3fc0b74 all runs: OK # git bisect bad 6e3b9068b863716bd4dfcff530055a042ad39d52 Bisecting: 46 revisions left to test after this (roughly 6 steps) [23c81ea6b13647abbf218e50de9b5bdda2de7863] md/raid0: Fix an error message in raid0_make_request() testing commit 23c81ea6b13647abbf218e50de9b5bdda2de7863 with gcc (GCC) 8.1.0 kernel signature: 2358d0f7d2f4149471c4af17bb52b64f5d56ba65 all runs: crashed: possible deadlock in __might_fault # git bisect good 23c81ea6b13647abbf218e50de9b5bdda2de7863 Bisecting: 23 revisions left to test after this (roughly 5 steps) [0f5e357b8ff40103a9bbb018176c3bd8ba3abfb6] staging: gigaset: fix illegal free on probe errors testing commit 0f5e357b8ff40103a9bbb018176c3bd8ba3abfb6 with gcc (GCC) 8.1.0 kernel signature: c2cab3a46cc0d52ef66e9dd5db3dd0eea26b03ee all runs: crashed: possible deadlock in __might_fault # git bisect good 0f5e357b8ff40103a9bbb018176c3bd8ba3abfb6 Bisecting: 11 revisions left to test after this (roughly 4 steps) [3d1eef385869d53f027c7c23bb475b56e438c98e] USB: serial: io_edgeport: fix epic endpoint lookup testing commit 3d1eef385869d53f027c7c23bb475b56e438c98e with gcc (GCC) 8.1.0 kernel signature: df595f165679166ec067076034ebc4ebb05ba738 all runs: crashed: possible deadlock in __might_fault # git bisect good 3d1eef385869d53f027c7c23bb475b56e438c98e Bisecting: 5 revisions left to test after this (roughly 3 steps) [37b8438a6f49ab4d06a088dd55e5b09afa0d59ab] mtd: spear_smi: Fix Write Burst mode testing commit 37b8438a6f49ab4d06a088dd55e5b09afa0d59ab with gcc (GCC) 8.1.0 kernel signature: 319e656b8f1db40a402e4055ea1bab139b6cf57e all runs: OK # git bisect bad 37b8438a6f49ab4d06a088dd55e5b09afa0d59ab Bisecting: 2 revisions left to test after this (roughly 2 steps) [cf6a2fbc065a13579b0084b32650f8b045689979] usb: core: urb: fix URB structure initialization function testing commit cf6a2fbc065a13579b0084b32650f8b045689979 with gcc (GCC) 8.1.0 kernel signature: c4a68e858d2fa31da05e35647c2e39f8db48169c all runs: crashed: possible deadlock in __might_fault # git bisect good cf6a2fbc065a13579b0084b32650f8b045689979 Bisecting: 0 revisions left to test after this (roughly 1 step) [2e0e2b4860ccef8dc8033648e79fdff0d6a93613] tpm: add check after commands attribs tab allocation testing commit 2e0e2b4860ccef8dc8033648e79fdff0d6a93613 with gcc (GCC) 8.1.0 kernel signature: f7789d0329aba46db6b8feffda6e4bfd713bc68d all runs: OK # git bisect bad 2e0e2b4860ccef8dc8033648e79fdff0d6a93613 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3757e3818838828f969ea51bea9b0e4ba948575e] usb: mon: Fix a deadlock in usbmon between mmap and read testing commit 3757e3818838828f969ea51bea9b0e4ba948575e with gcc (GCC) 8.1.0 kernel signature: f82a58e746599445cfe2bf4ca2ffc304b3cf9f1c all runs: OK # git bisect bad 3757e3818838828f969ea51bea9b0e4ba948575e 3757e3818838828f969ea51bea9b0e4ba948575e is the first bad commit commit 3757e3818838828f969ea51bea9b0e4ba948575e Author: Pete Zaitcev Date: Wed Dec 4 20:39:41 2019 -0600 usb: mon: Fix a deadlock in usbmon between mmap and read commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream. The problem arises because our read() function grabs a lock of the circular buffer, finds something of interest, then invokes copy_to_user() straight from the buffer, which in turn takes mm->mmap_sem. In the same time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. It attempts to take the fetch lock and deadlocks. This patch does away with protecting of our page list with any semaphores, and instead relies on the kernel not close the device while mmap is active in a process. In addition, we prohibit re-sizing of a buffer while mmap is active. This way, when (now unlocked) fault is processed, it works with the page that is intended to be mapped-in, and not some other random page. Note that this may have an ABI impact, but hopefully no legitimate program is this wrong. Signed-off-by: Pete Zaitcev Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com Reviewed-by: Alan Stern Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") Cc: Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan Signed-off-by: Greg Kroah-Hartman drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) culprit signature: f82a58e746599445cfe2bf4ca2ffc304b3cf9f1c parent signature: c4a68e858d2fa31da05e35647c2e39f8db48169c revisions tested: 14, total time: 3h30m58.348348883s (build: 2h2m47.188295888s, test: 1h26m56.383296225s) first good commit: 3757e3818838828f969ea51bea9b0e4ba948575e usb: mon: Fix a deadlock in usbmon between mmap and read cc: ["gregkh@linuxfoundation.org" "stern@rowland.harvard.edu" "zaitcev@redhat.com"]