bisecting fixing commit since c3038e718a19fc596f7b1baba0f83d5146dc7784 building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114 testing commit c3038e718a19fc596f7b1baba0f83d5146dc7784 with gcc (GCC) 8.1.0 kernel signature: f564905b16ff1a16dc2584e94bf36946c6e95440 all runs: crashed: possible deadlock in mon_bin_vma_fault testing current HEAD db5b9190ff8202b609fe802ccde41cb28669389f testing commit db5b9190ff8202b609fe802ccde41cb28669389f with gcc (GCC) 8.1.0 kernel signature: d2645bde690c5a478f21490d16ec94b6a993c643 all runs: OK # git bisect start db5b9190ff8202b609fe802ccde41cb28669389f c3038e718a19fc596f7b1baba0f83d5146dc7784 Bisecting: 1397 revisions left to test after this (roughly 11 steps) [36bef080b55f9264d587085d9b00d658d4eafa22] net: phy: dp83867: increase SGMII autoneg timer duration testing commit 36bef080b55f9264d587085d9b00d658d4eafa22 with gcc (GCC) 8.1.0 kernel signature: 19ba87483052c0965b68c7e956863e105821a408 all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good 36bef080b55f9264d587085d9b00d658d4eafa22 Bisecting: 698 revisions left to test after this (roughly 10 steps) [e0dd31b9e5f4d1ff5edc36f12c52d1b997004fc4] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB testing commit e0dd31b9e5f4d1ff5edc36f12c52d1b997004fc4 with gcc (GCC) 8.1.0 kernel signature: d0a86dcfdc1ec929db6375d333d2848946e49037 all runs: OK # git bisect bad e0dd31b9e5f4d1ff5edc36f12c52d1b997004fc4 Bisecting: 349 revisions left to test after this (roughly 9 steps) [3e777af50963bc38d816190fe07e79f519d66a0b] mailbox: mailbox-test: fix null pointer if no mmio testing commit 3e777af50963bc38d816190fe07e79f519d66a0b with gcc (GCC) 8.1.0 kernel signature: 8cccb9834406f4d8f7dc02594a28e2c0a77f3539 all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good 3e777af50963bc38d816190fe07e79f519d66a0b Bisecting: 174 revisions left to test after this (roughly 8 steps) [ab9d56dace3bdd7ed6957923b85c6cb29f959d68] ARM: dts: realview: Fix some more duplicate regulator nodes testing commit ab9d56dace3bdd7ed6957923b85c6cb29f959d68 with gcc (GCC) 8.1.0 kernel signature: 6eaaa06779f261e36f739a09daaaed425b7c6fd0 all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good ab9d56dace3bdd7ed6957923b85c6cb29f959d68 Bisecting: 87 revisions left to test after this (roughly 7 steps) [0977763a13fd87a7aebe376dc96385758de3aa9e] appletalk: Fix potential NULL pointer dereference in unregister_snap_client testing commit 0977763a13fd87a7aebe376dc96385758de3aa9e with gcc (GCC) 8.1.0 kernel signature: de54b97982a34cd2afeb48b45df2771be523bc1f all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good 0977763a13fd87a7aebe376dc96385758de3aa9e Bisecting: 43 revisions left to test after this (roughly 6 steps) [f80318536150968ae29b03cc7e9bcc57c392642f] Btrfs: send, skip backreference walking for extents with many references testing commit f80318536150968ae29b03cc7e9bcc57c392642f with gcc (GCC) 8.1.0 kernel signature: 5ed9b6c06b67657eadf317cef66c492499ef64dd all runs: OK # git bisect bad f80318536150968ae29b03cc7e9bcc57c392642f Bisecting: 21 revisions left to test after this (roughly 5 steps) [299f9959676426a3df2bc10e0057608041be8c3b] iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting testing commit 299f9959676426a3df2bc10e0057608041be8c3b with gcc (GCC) 8.1.0 kernel signature: 03f6af5d2bcbaa62872c4d9e79e3fb9c53fa9fda all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good 299f9959676426a3df2bc10e0057608041be8c3b Bisecting: 10 revisions left to test after this (roughly 4 steps) [472f9483303d851d77a6d7190ef37f89646980d1] virtio-balloon: fix managed page counts when migrating pages between zones testing commit 472f9483303d851d77a6d7190ef37f89646980d1 with gcc (GCC) 8.1.0 kernel signature: 4705edd6ffd6d6df6f56b0d9c7ec6ff6f286785e all runs: OK # git bisect bad 472f9483303d851d77a6d7190ef37f89646980d1 Bisecting: 5 revisions left to test after this (roughly 3 steps) [c3dde73859c11c068d015a75d1968edb6527e3de] usb: roles: fix a potential use after free testing commit c3dde73859c11c068d015a75d1968edb6527e3de with gcc (GCC) 8.1.0 kernel signature: fae0dfc9090ec3f4b39723df9dc28868ee8c1188 all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good c3dde73859c11c068d015a75d1968edb6527e3de Bisecting: 2 revisions left to test after this (roughly 2 steps) [3757e3818838828f969ea51bea9b0e4ba948575e] usb: mon: Fix a deadlock in usbmon between mmap and read testing commit 3757e3818838828f969ea51bea9b0e4ba948575e with gcc (GCC) 8.1.0 kernel signature: 208c31844099ee9d475b13783c881e1b620cec3c all runs: OK # git bisect bad 3757e3818838828f969ea51bea9b0e4ba948575e Bisecting: 0 revisions left to test after this (roughly 1 step) [cf6a2fbc065a13579b0084b32650f8b045689979] usb: core: urb: fix URB structure initialization function testing commit cf6a2fbc065a13579b0084b32650f8b045689979 with gcc (GCC) 8.1.0 kernel signature: e8ed2a98e163580a4c41dd36516a11731fb46ef9 all runs: crashed: possible deadlock in mon_bin_vma_fault # git bisect good cf6a2fbc065a13579b0084b32650f8b045689979 3757e3818838828f969ea51bea9b0e4ba948575e is the first bad commit commit 3757e3818838828f969ea51bea9b0e4ba948575e Author: Pete Zaitcev Date: Wed Dec 4 20:39:41 2019 -0600 usb: mon: Fix a deadlock in usbmon between mmap and read commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream. The problem arises because our read() function grabs a lock of the circular buffer, finds something of interest, then invokes copy_to_user() straight from the buffer, which in turn takes mm->mmap_sem. In the same time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. It attempts to take the fetch lock and deadlocks. This patch does away with protecting of our page list with any semaphores, and instead relies on the kernel not close the device while mmap is active in a process. In addition, we prohibit re-sizing of a buffer while mmap is active. This way, when (now unlocked) fault is processed, it works with the page that is intended to be mapped-in, and not some other random page. Note that this may have an ABI impact, but hopefully no legitimate program is this wrong. Signed-off-by: Pete Zaitcev Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com Reviewed-by: Alan Stern Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") Cc: Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan Signed-off-by: Greg Kroah-Hartman drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) culprit signature: 208c31844099ee9d475b13783c881e1b620cec3c parent signature: e8ed2a98e163580a4c41dd36516a11731fb46ef9 revisions tested: 13, total time: 3h16m5.447560267s (build: 1h51m12.050177189s, test: 1h23m40.795450763s) first good commit: 3757e3818838828f969ea51bea9b0e4ba948575e usb: mon: Fix a deadlock in usbmon between mmap and read cc: ["gregkh@linuxfoundation.org" "stern@rowland.harvard.edu" "zaitcev@redhat.com"]