possible deadlock in blkdev_reread_part
12 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:39 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 06fe41f8
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=166f2d51800000
kernel config: https://syzkaller.appspot.com/x/.config?x=4fadd453521adb
dashboard link: https://syzkaller.appspot.com/bug?extid=313976955de89e3514f2
compiler: gcc (GCC) 7.1.1 20170620
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17455b61800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c0769800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+313976...@syzkaller.appspotmail.com
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.75-g06fe41f #16 Not tainted
-------------------------------------------------------
syzkaller027926/3332 is trying to acquire lock:
(&bdev->bd_mutex){+.+.+.}, at: [<ffffffff81d34f1e>]
blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
but task is already holding lock:
(&lo->lo_ctl_mutex#2){+.+...}, at: [<ffffffff824b6769>]
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1515
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
lo_release+0x6b/0x140 drivers/block/loop.c:1569
__blkdev_put+0x5f7/0x7e0 fs/block_dev.c:1598
blkdev_put+0x85/0x550 fs/block_dev.c:1663
blkdev_close+0x8b/0xb0 fs/block_dev.c:1670
__fput+0x28c/0x6e0 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x115/0x190 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
entry_SYSCALL_64_fastpath+0xe0/0xe2
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
loop_reread_partitions+0x78/0xe0 drivers/block/loop.c:634
loop_set_status+0x995/0xfc0 drivers/block/loop.c:1164
loop_set_status_compat+0x9a/0x100 drivers/block/loop.c:1488
lo_compat_ioctl+0x114/0x140 drivers/block/loop.c:1516
compat_blkdev_ioctl+0x3e3/0x3bc0 block/compat_ioctl.c:751
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
*** DEADLOCK ***
1 lock held by syzkaller027926/3332:
#0: (&lo->lo_ctl_mutex#2){+.+...}, at: [<ffffffff824b6769>]
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1515
stack backtrace:
CPU: 1 PID: 3332 Comm: syzkaller027926 Not tainted 4.9.75-g06fe41f #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801caa97768 ffffffff81d93049 ffffffff85385970 ffffffff85385970
ffffffff853b2850 ffff8801c980b8d8 ffff8801c980b000 ffff8801caa977b0
ffffffff81237431 ffff8801c980b8d8 00000000c980b8b0 ffff8801c980b8d8
Call Trace:
[<ffffffff81d93049>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d93049>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81237431>] print_circular_bug+0x271/0x310
kernel/locking/lockdep.c:1202
[<ffffffff8123d869>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8123d869>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8123d869>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8123d869>] __lock_acquire+0x2bf9/0x3640
kernel/locking/lockdep.c:3345
[<ffffffff8123ecee>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
[<ffffffff838a6cdb>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff838a6cdb>] mutex_lock_nested+0xbb/0x870
kernel/locking/mutex.c:621
[<ffffffff81d34f1e>] blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
[<ffffffff824b12f8>] loop_reread_partitions+0x78/0xe0
drivers/block/loop.c:634
[<ffffffff824b1cf5>] loop_set_status+0x995/0xfc0 drivers/block/loop.c:1164
[<ffffffff824b23ba>] loop_set_status_compat+0x9a/0x100
drivers/block/loop.c:1488
[<ffffffff824b6774>] lo_compat_ioctl+0x114/0x140 drivers/block/loop.c:1516
[<ffffffff81d86e13>] compat_blkdev_ioctl+0x3e3/0x3bc0
block/compat_ioctl.c:751
[<ffffffff8167b72f>] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
[<ffffffff8167b72f>] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549
[<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322
[inline]
[<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
arch/x86/entry/common.c:384
[<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
arch/x86/entry/entry_64_compat.S:127
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 06fe41f8
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=166f2d51800000
kernel config: https://syzkaller.appspot.com/x/.config?x=4fadd453521adb
dashboard link: https://syzkaller.appspot.com/bug?extid=313976955de89e3514f2
compiler: gcc (GCC) 7.1.1 20170620
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17455b61800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c0769800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+313976...@syzkaller.appspotmail.com
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.75-g06fe41f #16 Not tainted
-------------------------------------------------------
syzkaller027926/3332 is trying to acquire lock:
(&bdev->bd_mutex){+.+.+.}, at: [<ffffffff81d34f1e>]
blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
but task is already holding lock:
(&lo->lo_ctl_mutex#2){+.+...}, at: [<ffffffff824b6769>]
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1515
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
lo_release+0x6b/0x140 drivers/block/loop.c:1569
__blkdev_put+0x5f7/0x7e0 fs/block_dev.c:1598
blkdev_put+0x85/0x550 fs/block_dev.c:1663
blkdev_close+0x8b/0xb0 fs/block_dev.c:1670
__fput+0x28c/0x6e0 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x115/0x190 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
entry_SYSCALL_64_fastpath+0xe0/0xe2
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
loop_reread_partitions+0x78/0xe0 drivers/block/loop.c:634
loop_set_status+0x995/0xfc0 drivers/block/loop.c:1164
loop_set_status_compat+0x9a/0x100 drivers/block/loop.c:1488
lo_compat_ioctl+0x114/0x140 drivers/block/loop.c:1516
compat_blkdev_ioctl+0x3e3/0x3bc0 block/compat_ioctl.c:751
C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549
do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
*** DEADLOCK ***
1 lock held by syzkaller027926/3332:
#0: (&lo->lo_ctl_mutex#2){+.+...}, at: [<ffffffff824b6769>]
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1515
stack backtrace:
CPU: 1 PID: 3332 Comm: syzkaller027926 Not tainted 4.9.75-g06fe41f #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801caa97768 ffffffff81d93049 ffffffff85385970 ffffffff85385970
ffffffff853b2850 ffff8801c980b8d8 ffff8801c980b000 ffff8801caa977b0
ffffffff81237431 ffff8801c980b8d8 00000000c980b8b0 ffff8801c980b8d8
Call Trace:
[<ffffffff81d93049>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d93049>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81237431>] print_circular_bug+0x271/0x310
kernel/locking/lockdep.c:1202
[<ffffffff8123d869>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8123d869>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8123d869>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8123d869>] __lock_acquire+0x2bf9/0x3640
kernel/locking/lockdep.c:3345
[<ffffffff8123ecee>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
[<ffffffff838a6cdb>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff838a6cdb>] mutex_lock_nested+0xbb/0x870
kernel/locking/mutex.c:621
[<ffffffff81d34f1e>] blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
[<ffffffff824b12f8>] loop_reread_partitions+0x78/0xe0
drivers/block/loop.c:634
[<ffffffff824b1cf5>] loop_set_status+0x995/0xfc0 drivers/block/loop.c:1164
[<ffffffff824b23ba>] loop_set_status_compat+0x9a/0x100
drivers/block/loop.c:1488
[<ffffffff824b6774>] lo_compat_ioctl+0x114/0x140 drivers/block/loop.c:1516
[<ffffffff81d86e13>] compat_blkdev_ioctl+0x3e3/0x3bc0
block/compat_ioctl.c:751
[<ffffffff8167b72f>] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
[<ffffffff8167b72f>] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549
[<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322
[inline]
[<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890
arch/x86/entry/common.c:384
[<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83
arch/x86/entry/entry_64_compat.S:127
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 8:00:43 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 610c8356
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=14f53311800000
kernel config: https://syzkaller.appspot.com/x/.config?x=44509e3077d6939
dashboard link: https://syzkaller.appspot.com/bug?extid=b63369398b0e8bf87f29
compiler: gcc (GCC) 7.1.1 20170620
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17898b11800000
userspace arch: i386
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ed1889800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
======================================================
[ INFO: possible circular locking dependency detected ]
-------------------------------------------------------
syzkaller581102/3315 is trying to acquire lock:
(&bdev->bd_mutex){+.+.+.}, at: [<ffffffff81cab7ee>]
blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
but task is already holding lock:
(&lo->lo_ctl_mutex#2){+.+.+.}, at: [<ffffffff82420ea9>]
but task is already holding lock:
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1526
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
kernel/locking/lockdep.c:3592
[<ffffffff8376a89b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376a89b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff82421e5b>] lo_release+0x6b/0x140 drivers/block/loop.c:1580
[<ffffffff815d2557>] __blkdev_put+0x5f7/0x7e0 fs/block_dev.c:1535
[<ffffffff815d35b5>] blkdev_put+0x85/0x550 fs/block_dev.c:1600
[<ffffffff815d3b0b>] blkdev_close+0x8b/0xb0 fs/block_dev.c:1607
[<ffffffff81521163>] __fput+0x233/0x6d0 fs/file_table.c:208
[<ffffffff81521685>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff811890a4>] task_work_run+0x104/0x180 kernel/task_work.c:115
[<ffffffff81003625>] tracehook_notify_resume
include/linux/tracehook.h:191 [inline]
[<ffffffff81003625>] exit_to_usermode_loop+0x145/0x170
arch/x86/entry/common.c:251
[<ffffffff81006545>] prepare_exit_to_usermode
arch/x86/entry/common.c:282 [inline]
[<ffffffff81006545>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:347
[<ffffffff83773e9e>] int_ret_from_sys_call+0x25/0x9f
[<ffffffff8123797f>] check_prev_add kernel/locking/lockdep.c:1853
[inline]
[<ffffffff8123797f>] check_prevs_add kernel/locking/lockdep.c:1958
[inline]
[<ffffffff8123797f>] validate_chain kernel/locking/lockdep.c:2144
[inline]
[<ffffffff8123797f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123a61e>] lock_acquire+0x15e/0x460
kernel/locking/lockdep.c:3592
[<ffffffff8376a89b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376a89b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff81cab7ee>] blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
[<ffffffff8241ba48>] loop_reread_partitions+0x78/0xe0
drivers/block/loop.c:645
[<ffffffff8241c445>] loop_set_status+0x995/0xfc0
drivers/block/loop.c:1175
[<ffffffff8241cb0a>] loop_set_status_compat+0x9a/0x100
drivers/block/loop.c:1499
[<ffffffff82420eb4>] lo_compat_ioctl+0x114/0x140
drivers/block/loop.c:1527
[<ffffffff81cf85a4>] compat_blkdev_ioctl+0x3d4/0x3b10
block/compat_ioctl.c:751
[<ffffffff8161d5ca>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
[<ffffffff8161d5ca>] compat_SyS_ioctl+0x28a/0x2540
fs/compat_ioctl.c:1544
[<ffffffff81006d84>] do_syscall_32_irqs_on
arch/x86/entry/common.c:390 [inline]
[<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
arch/x86/entry/common.c:457
[<ffffffff837754d7>] sysenter_flags_fixed+0xd/0x17
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
lock(&lo->lo_ctl_mutex#2);
lock(&bdev->bd_mutex);
*** DEADLOCK ***
#0: (&lo->lo_ctl_mutex#2){+.+.+.}, at: [<ffffffff82420ea9>]
lo_compat_ioctl+0x109/0x140 drivers/block/loop.c:1526
stack backtrace:
CPU: 0 PID: 3315 Comm: syzkaller581102 Not tainted 4.4.107-g610c835 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 c7dcb8468e4110f6 ffff8800b46175e8 ffffffff81d0457d
Google 01/01/2011
ffffffff85178be0 ffffffff85178be0 ffffffff851a3fc0 ffff8801d0c20898
ffff8801d0c20000 ffff8800b4617630 ffffffff812309f1 ffff8801d0c20898
Call Trace:
[<ffffffff81d0457d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d0457d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff812309f1>] print_circular_bug+0x271/0x310
kernel/locking/lockdep.c:1226
[<ffffffff8123797f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
[<ffffffff8123797f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
[<ffffffff8123797f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
[<ffffffff8123797f>] __lock_acquire+0x371f/0x4b50
kernel/locking/lockdep.c:3213
[<ffffffff8123a61e>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
[<ffffffff8376a89b>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8376a89b>] mutex_lock_nested+0xbb/0x850
kernel/locking/mutex.c:621
[<ffffffff81cab7ee>] blkdev_reread_part+0x1e/0x40 block/ioctl.c:189
[<ffffffff8241ba48>] loop_reread_partitions+0x78/0xe0
drivers/block/loop.c:645
[<ffffffff8241c445>] loop_set_status+0x995/0xfc0 drivers/block/loop.c:1175
[<ffffffff8241cb0a>] loop_set_status_compat+0x9a/0x100
drivers/block/loop.c:1499
[<ffffffff82420eb4>] lo_compat_ioctl+0x114/0x140 drivers/block/loop.c:1527
[<ffffffff81cf85a4>] compat_blkdev_ioctl+0x3d4/0x3b10
block/compat_ioctl.c:751
[<ffffffff8161d5ca>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
[<ffffffff8161d5ca>] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544
[<ffffffff81006d84>] do_syscall_32_irqs_on arch/x86/entry/common.c:390
[inline]
[<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
arch/x86/entry/common.c:457
[<ffffffff837754d7>] sysenter_flags_fixed+0xd/0x17
Reply all
Reply to author
Forward
0 new messages