bisecting cause commit starting from 3c09c1950c8483eeeb4bf9615ecdcec7234c6790
building syzkaller on 63bf051fc1ccc110060be8490f4f5492b0a78766
testing commit 3c09c1950c8483eeeb4bf9615ecdcec7234c6790 with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 3c09c1950c8483eeeb4bf9615ecdcec7234c6790 v5.1
Bisecting: 8641 revisions left to test after this (roughly 13 steps)
[055128ee008b00fba14e3638e7e84fc2cff8d77d] Merge tag 'dmaengine-5.2-rc1' of git://git.infradead.org/users/vkoul/slave-dma
testing commit 055128ee008b00fba14e3638e7e84fc2cff8d77d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 055128ee008b00fba14e3638e7e84fc2cff8d77d
Bisecting: 4320 revisions left to test after this (roughly 12 steps)
[7ac3e13a9fb36cec252e80270c5da3315be5d77f] staging: kpc2000: kpc_i2c: fixup block comment style in i2c_driver.c
testing commit 7ac3e13a9fb36cec252e80270c5da3315be5d77f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7ac3e13a9fb36cec252e80270c5da3315be5d77f
Bisecting: 2117 revisions left to test after this (roughly 11 steps)
[fb9228b219ccd37128eaca9882b1957f3d5c32e7] Merge remote-tracking branch 'net-next/master'
testing commit fb9228b219ccd37128eaca9882b1957f3d5c32e7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fb9228b219ccd37128eaca9882b1957f3d5c32e7
Bisecting: 1066 revisions left to test after this (roughly 10 steps)
[ebc469a4473eed7c1b3cad178493c495b15a4d5c] Merge remote-tracking branch 'sound-asoc/for-next'
testing commit ebc469a4473eed7c1b3cad178493c495b15a4d5c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ebc469a4473eed7c1b3cad178493c495b15a4d5c
Bisecting: 528 revisions left to test after this (roughly 9 steps)
[18cf5fbcda0e92e7df54e71bf2c080bfc9b4cde3] Merge remote-tracking branch 'slave-dma/next'
testing commit 18cf5fbcda0e92e7df54e71bf2c080bfc9b4cde3 with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad 18cf5fbcda0e92e7df54e71bf2c080bfc9b4cde3
Bisecting: 254 revisions left to test after this (roughly 8 steps)
[b8e71e227ff76cdef03ad2e38015d36a94fb45fc] Merge remote-tracking branch 'tip/auto-latest'
testing commit b8e71e227ff76cdef03ad2e38015d36a94fb45fc with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad b8e71e227ff76cdef03ad2e38015d36a94fb45fc
Bisecting: 139 revisions left to test after this (roughly 7 steps)
[d6240950ae53ae7c6d955ce994ffc48e722831ca] Merge remote-tracking branch 'tpmdd/next'
testing commit d6240950ae53ae7c6d955ce994ffc48e722831ca with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad d6240950ae53ae7c6d955ce994ffc48e722831ca
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[945338b7083fdbf15c4e95d426fef8a8ec02d7f2] Merge remote-tracking branch 'regulator/for-next'
testing commit 945338b7083fdbf15c4e95d426fef8a8ec02d7f2 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 945338b7083fdbf15c4e95d426fef8a8ec02d7f2
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[ed7a397570e3300412cea587fb42343f2fc4fa95] Merge branch 'next-tpm' into next-testing
testing commit ed7a397570e3300412cea587fb42343f2fc4fa95 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ed7a397570e3300412cea587fb42343f2fc4fa95
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[55703b7584abc979726502880f1024a492f94e8e] Merge remote-tracking branch 'apparmor/apparmor-next'
testing commit 55703b7584abc979726502880f1024a492f94e8e with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 55703b7584abc979726502880f1024a492f94e8e
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[dabd57ca593c3cadf314656dbc23637b7a9fb570] Merge remote-tracking branch 'selinux/next'
testing commit dabd57ca593c3cadf314656dbc23637b7a9fb570 with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad dabd57ca593c3cadf314656dbc23637b7a9fb570
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6] x86/ima: check EFI SetupMode too
testing commit 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[b871b8a65b2bdd071ef4002fbefe17d00d0e0b41] Merge remote-tracking branch 'integrity/next-integrity'
testing commit b871b8a65b2bdd071ef4002fbefe17d00d0e0b41 with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad b871b8a65b2bdd071ef4002fbefe17d00d0e0b41
Bisecting: 0 revisions left to test after this (roughly 1 step)
[8902b36bab4c9022432bebc17774fe8d4e3bee7e] ima: prevent a file already mmap'ed write to be mmap'ed execute
testing commit 8902b36bab4c9022432bebc17774fe8d4e3bee7e with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad 8902b36bab4c9022432bebc17774fe8d4e3bee7e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[69d61f577d147b396be0991b2ac6f65057f7d445] ima: verify mprotect change is consistent with mmap policy
testing commit 69d61f577d147b396be0991b2ac6f65057f7d445 with gcc (GCC) 8.1.0
all runs: crashed: possible deadlock in __do_page_fault
# git bisect bad 69d61f577d147b396be0991b2ac6f65057f7d445
69d61f577d147b396be0991b2ac6f65057f7d445 is the first bad commit
commit 69d61f577d147b396be0991b2ac6f65057f7d445
Author: Mimi Zohar <zohar@linux.ibm.com>
Date:   Wed Apr 3 17:47:46 2019 -0400

    ima: verify mprotect change is consistent with mmap policy
    
    IMA can be configured to measure and appraise a file's integrity being
    mmap'ed execute.  Files can be mmap'ed read/write and later changed to
    execute to circumvent IMA's mmap measurement and appraisal policy rules.
    
    To prevent this from happening, this patch similarly calls
    ima_file_mmap() for mprotect changes.
    
    Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

:040000 040000 f557ca0e06c6bf3842a9d9d5c24ffe8575dd32dd a472fa46897ea0d4a7fd714fabb9aac3f7cc9bff M	security
revisions tested: 17, total time: 3h58m57.676846807s (build: 1h34m19.634932646s, test: 2h19m21.564069736s)
first bad commit: 69d61f577d147b396be0991b2ac6f65057f7d445 ima: verify mprotect change is consistent with mmap policy
cc: ["jmorris@namei.org" "linux-kernel@vger.kernel.org" "linux-security-module@vger.kernel.org" "serge@hallyn.com" "zohar@linux.ibm.com"]
crash: possible deadlock in __do_page_fault
======================================================
WARNING: possible circular locking dependency detected
5.2.0-rc1+ #1 Not tainted
------------------------------------------------------
syz-executor.5/8106 is trying to acquire lock:
0000000004fe485f (&mm->mmap_sem#2){++++}, at: do_user_addr_fault arch/x86/mm/fault.c:1408 [inline]
0000000004fe485f (&mm->mmap_sem#2){++++}, at: __do_page_fault+0x70f/0xa20 arch/x86/mm/fault.c:1523

but task is already holding lock:
0000000076931b9b (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_trylock include/linux/fs.h:798 [inline]
0000000076931b9b (&sb->s_type->i_mutex_key#10){+.+.}, at: ext4_file_write_iter+0x1e9/0xe90 fs/ext4/file.c:232

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&sb->s_type->i_mutex_key#10){+.+.}:
       down_write+0x38/0xa0 kernel/locking/rwsem.c:66
       inode_lock include/linux/fs.h:778 [inline]
       process_measurement+0x69e/0x14b0 security/integrity/ima/ima_main.c:207
       ima_file_mmap+0xf0/0x110 security/integrity/ima/ima_main.c:342
       security_file_mprotect+0x91/0xc0 security/security.c:1430
       do_mprotect_pkey+0x3b7/0x7f0 mm/mprotect.c:550
       __do_sys_pkey_mprotect mm/mprotect.c:590 [inline]
       __se_sys_pkey_mprotect mm/mprotect.c:587 [inline]
       __x64_sys_pkey_mprotect+0x92/0xf0 mm/mprotect.c:587
       do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&mm->mmap_sem#2){++++}:
       lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:4302
       down_read+0x3f/0x1e0 kernel/locking/rwsem.c:24
       do_user_addr_fault arch/x86/mm/fault.c:1408 [inline]
       __do_page_fault+0x70f/0xa20 arch/x86/mm/fault.c:1523
       do_page_fault+0x64/0x3a7 arch/x86/mm/fault.c:1554
       page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1156
       fault_in_pages_readable arch/x86/include/asm/smap.h:57 [inline]
       iov_iter_fault_in_readable+0x287/0x3a0 lib/iov_iter.c:425
       generic_perform_write+0x18e/0x480 mm/filemap.c:3195
       __generic_file_write_iter+0x201/0x580 mm/filemap.c:3334
       ext4_file_write_iter+0x288/0xe90 fs/ext4/file.c:266
       call_write_iter include/linux/fs.h:1872 [inline]
       new_sync_write+0x3fd/0x7e0 fs/read_write.c:483
       __vfs_write+0x94/0x110 fs/read_write.c:496
       vfs_write+0x150/0x4e0 fs/read_write.c:558
       ksys_write+0x105/0x220 fs/read_write.c:611
       __do_sys_write fs/read_write.c:623 [inline]
       __se_sys_write fs/read_write.c:620 [inline]
       __x64_sys_write+0x6e/0xb0 fs/read_write.c:620
       do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#10);
                               lock(&mm->mmap_sem#2);
                               lock(&sb->s_type->i_mutex_key#10);
  lock(&mm->mmap_sem#2);

 *** DEADLOCK ***

3 locks held by syz-executor.5/8106:
 #0: 0000000018649f57 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:801
 #1: 00000000f13f02b5 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2837 [inline]
 #1: 00000000f13f02b5 (sb_writers#3){.+.+}, at: vfs_write+0x321/0x4e0 fs/read_write.c:557
 #2: 0000000076931b9b (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_trylock include/linux/fs.h:798 [inline]
 #2: 0000000076931b9b (&sb->s_type->i_mutex_key#10){+.+.}, at: ext4_file_write_iter+0x1e9/0xe90 fs/ext4/file.c:232

stack backtrace:
CPU: 1 PID: 8106 Comm: syz-executor.5 Not tainted 5.2.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_circular_bug.cold.59+0x1bd/0x27d kernel/locking/lockdep.c:1564
 check_prev_add kernel/locking/lockdep.c:2309 [inline]
 check_prevs_add kernel/locking/lockdep.c:2417 [inline]
 validate_chain kernel/locking/lockdep.c:2799 [inline]
 __lock_acquire+0x3853/0x55b0 kernel/locking/lockdep.c:3792
 lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:4302
 down_read+0x3f/0x1e0 kernel/locking/rwsem.c:24
 do_user_addr_fault arch/x86/mm/fault.c:1408 [inline]
 __do_page_fault+0x70f/0xa20 arch/x86/mm/fault.c:1523
 do_page_fault+0x64/0x3a7 arch/x86/mm/fault.c:1554
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1156
RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline]
RIP: 0010:iov_iter_fault_in_readable+0x287/0x3a0 lib/iov_iter.c:425
Code: 48 39 d7 0f 82 19 ff ff ff 0f 1f 00 0f ae e8 44 89 c0 8a 0a 0f 1f 00 85 c0 41 88 4d c0 74 da e9 f7 fe ff ff 0f 1f 00 0f ae e8 <8a> 11 0f 1f 00 85 c0 41 88 55 80 0f 85 03 ff ff ff 4c 29 e6 e9 48
RSP: 0018:ffff8880884e78b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1101109cf19 RCX: 000000002000127f
RDX: 00000000000000ff RSI: 0000000000001000 RDI: ffff8880884e7c01
RBP: ffff8880884e7990 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: ffff8880884e7968 R14: ffff8880884e7c90 R15: 0000000000000000
 generic_perform_write+0x18e/0x480 mm/filemap.c:3195
 __generic_file_write_iter+0x201/0x580 mm/filemap.c:3334
 ext4_file_write_iter+0x288/0xe90 fs/ext4/file.c:266
 call_write_iter include/linux/fs.h:1872 [inline]
 new_sync_write+0x3fd/0x7e0 fs/read_write.c:483
 __vfs_write+0x94/0x110 fs/read_write.c:496
 vfs_write+0x150/0x4e0 fs/read_write.c:558
 ksys_write+0x105/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:620
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007feca41ebc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 000000000000ff7f RSI: 0000000020000280 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007feca41ec6d4
R13: 00000000004c8aa4 R14: 00000000004df468 R15: 00000000ffffffff