[syzbot] [mm?] possible deadlock in move_pages
16 views
Skip to first unread message
syzbot
Mar 19, 2024, 5:52:18 AMMar 19
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+490566...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
--------------------------------------------
syz-executor258/5169 is trying to acquire lock:
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
but task is already holding lock:
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&vma->vm_lock->lock);
lock(&vma->vm_lock->lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz-executor258/5169:
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
#1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
#1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
stack backtrace:
CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
uffd_move_lock mm/userfaultfd.c:1447 [inline]
move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
userfaultfd_move fs/userfaultfd.c:2008 [inline]
userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl fs/ioctl.c:890 [inline]
__x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd48da20329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+490566...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
--------------------------------------------
syz-executor258/5169 is trying to acquire lock:
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
but task is already holding lock:
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&vma->vm_lock->lock);
lock(&vma->vm_lock->lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz-executor258/5169:
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
#0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
#1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
#1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
stack backtrace:
CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
uffd_move_lock mm/userfaultfd.c:1447 [inline]
move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
userfaultfd_move fs/userfaultfd.c:2008 [inline]
userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl fs/ioctl.c:890 [inline]
__x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd48da20329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
David Hildenbrand
Mar 19, 2024, 9:37:45 AMMar 19
to syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Lokesh Gidra
commit 867a43a34ff8a38772212045262b2c9b77807ea3
Author: Lokesh Gidra <lokes...@google.com>
Date: Thu Feb 15 10:27:56 2024 -0800
userfaultfd: use per-vma locks in userfaultfd operations
All userfaultfd operations, except write-protect, opportunistically use
per-vma locks to lock vmas. On failure, attempt again inside mmap_lock
critical section.
Write-protect operation requires mmap_lock as it iterates over multiple
vmas.
and
commit 5e4c24a57b0c126686534b5b159a406c5dd02400
Author: Lokesh Gidra <lokes...@google.com>
Date: Thu Feb 15 10:27:54 2024 -0800
userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx
Increments and loads to mmap_changing are always in mmap_lock critical
section. This ensures that if userspace requests event notification for
non-cooperative operations (e.g. mremap), userfaultfd operations don't
occur concurrently.
This can be achieved by using a separate read-write semaphore in
userfaultfd_ctx such that increments are done in write-mode and loads in
read-mode, thereby eliminating the dependency on mmap_lock for this
purpose.
This is a preparatory step before we replace mmap_lock usage with per-vma
locks in fill/move ioctls.
might responsible.
CCin Lokesh
--
Cheers,
David / dhildenb
Lokesh Gidra
Mar 19, 2024, 1:25:58 PMMar 19
to David Hildenbrand, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Suren Baghdasaryan
Lokesh Gidra
Mar 19, 2024, 7:48:02 PMMar 19
to David Hildenbrand, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Suren Baghdasaryan, ak...@linux-foundation.org
with few additional checks:
down_read(&(*dst_vmap)->vm_lock->lock);
if (*dst_vmap != *src_vmap) {
BUG_ON((*src_vmap)->vm_lock == (*dst_vmap)->vm_lock);
BUG_ON(&(*src_vmap)->vm_lock->lock == &(*dst_vmap)->vm_lock->lock);
BUG_ON(rwsem_is_locked(&(*src_vmap)->vm_lock->lock));
down_read(&(*src_vmap)->vm_lock->lock);
}
None of the BUG_ONs are causing pani but the following down_read() is
reporting the deadlock as above. Even if I change the if condition to
if (&(*dst_vmap)->vm_lock->lock != &(*src_vmap)->vm_lock->lock)
I still get the deadlock trace. Possibly a bug in lockdep?
Hillf Danton
Mar 20, 2024, 6:46:07 AMMar 20
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 19 Mar 2024 02:52:16 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e5eb28f6d1af
--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -1442,9 +1442,9 @@ static int uffd_move_lock(struct mm_stru
* See comment in lock_vma() as to why not using
* vma_start_read() here.
*/
- down_read(&(*dst_vmap)->vm_lock->lock);
+ down_read_nested(&(*dst_vmap)->vm_lock->lock, 1);
if (*dst_vmap != *src_vmap)
- down_read(&(*src_vmap)->vm_lock->lock);
+ down_read_nested(&(*src_vmap)->vm_lock->lock, 2);
}
mmap_read_unlock(mm);
return err;
--
> syzbot found the following issue on:
>
> HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
>
> HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> git tree: upstream
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e5eb28f6d1af
--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -1442,9 +1442,9 @@ static int uffd_move_lock(struct mm_stru
* See comment in lock_vma() as to why not using
* vma_start_read() here.
*/
- down_read(&(*dst_vmap)->vm_lock->lock);
+ down_read_nested(&(*dst_vmap)->vm_lock->lock, 1);
if (*dst_vmap != *src_vmap)
- down_read(&(*src_vmap)->vm_lock->lock);
+ down_read_nested(&(*src_vmap)->vm_lock->lock, 2);
}
mmap_read_unlock(mm);
return err;
--
syzbot
Mar 20, 2024, 7:09:05 AMMar 20
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+490566...@syzkaller.appspotmail.com
Tested on:
commit: e5eb28f6 Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10b7afc1180000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+490566...@syzkaller.appspotmail.com
Tested on:
commit: e5eb28f6 Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10b7afc1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17d44231180000
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages