possible deadlock in seq_read
9 views
Skip to first unread message
syzbot
Aug 5, 2019, 12:40:07 PM8/5/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b3060a1a Linux 4.19.64
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d05036600000
kernel config: https://syzkaller.appspot.com/x/.config?x=40e496d2d42c10d5
dashboard link: https://syzkaller.appspot.com/bug?extid=f54e3f04854769438c51
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f54e3f...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.19.64 #38 Not tainted
------------------------------------------------------
syz-executor.4/9485 is trying to acquire lock:
00000000aba9b6ea (&p->lock){+.+.}, at: seq_read+0x71/0x1110
fs/seq_file.c:161
but task is already holding lock:
00000000d0fce81a (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x55/0x120 fs/exec.c:1404
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sig->cred_guard_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_killable_nested+0x16/0x20 kernel/locking/mutex.c:1102
lock_trace+0x4a/0xe0 fs/proc/base.c:402
proc_pid_syscall+0x98/0x250 fs/proc/base.c:635
proc_single_show+0xf0/0x180 fs/proc/base.c:755
seq_read+0x4ca/0x1110 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x490/0x640 fs/read_write.c:925
vfs_readv+0xf0/0x160 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x478/0x890 fs/splice.c:417
do_splice_to+0x127/0x180 fs/splice.c:881
splice_direct_to_actor+0x256/0x890 fs/splice.c:953
do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
do_sendfile+0x597/0xce0 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
__x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1494
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&p->lock){+.+.}:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
seq_read+0x71/0x1110 fs/seq_file.c:161
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
kernel_read+0xab/0x120 fs/read_write.c:431
prepare_binprm+0x6a2/0x940 fs/exec.c:1581
__do_execve_file.isra.0+0xf58/0x2150 fs/exec.c:1800
do_execveat_common fs/exec.c:1866 [inline]
do_execveat fs/exec.c:1894 [inline]
__do_sys_execveat fs/exec.c:1975 [inline]
__se_sys_execveat fs/exec.c:1967 [inline]
__x64_sys_execveat+0xed/0x130 fs/exec.c:1967
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sig->cred_guard_mutex);
lock(&p->lock);
lock(&sig->cred_guard_mutex);
lock(&p->lock);
*** DEADLOCK ***
1 lock held by syz-executor.4/9485:
#0: 00000000d0fce81a (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x55/0x120 fs/exec.c:1404
stack backtrace:
CPU: 0 PID: 9485 Comm: syz-executor.4 Not tainted 4.19.64 #38
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1861 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
seq_read+0x71/0x1110 fs/seq_file.c:161
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
kernel_read+0xab/0x120 fs/read_write.c:431
prepare_binprm+0x6a2/0x940 fs/exec.c:1581
__do_execve_file.isra.0+0xf58/0x2150 fs/exec.c:1800
do_execveat_common fs/exec.c:1866 [inline]
do_execveat fs/exec.c:1894 [inline]
__do_sys_execveat fs/exec.c:1975 [inline]
__se_sys_execveat fs/exec.c:1967 [inline]
__x64_sys_execveat+0xed/0x130 fs/exec.c:1967
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f295d52ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000001000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f295d52f6d4
R13: 00000000004bff30 R14: 00000000004d1de8 R15: 00000000ffffffff
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10379 comm=syz-executor.4
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
bond0: Error: Device is in use and cannot be enslaved
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10395 comm=syz-executor.4
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10516 comm=syz-executor.4
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43
sclass=netlink_route_socket pig=10638 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10640 comm=syz-executor.4
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=11013 comm=syz-executor.4
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=11027 comm=syz-executor.4
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: b3060a1a Linux 4.19.64
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d05036600000
kernel config: https://syzkaller.appspot.com/x/.config?x=40e496d2d42c10d5
dashboard link: https://syzkaller.appspot.com/bug?extid=f54e3f04854769438c51
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f54e3f...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.19.64 #38 Not tainted
------------------------------------------------------
syz-executor.4/9485 is trying to acquire lock:
00000000aba9b6ea (&p->lock){+.+.}, at: seq_read+0x71/0x1110
fs/seq_file.c:161
but task is already holding lock:
00000000d0fce81a (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x55/0x120 fs/exec.c:1404
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sig->cred_guard_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_killable_nested+0x16/0x20 kernel/locking/mutex.c:1102
lock_trace+0x4a/0xe0 fs/proc/base.c:402
proc_pid_syscall+0x98/0x250 fs/proc/base.c:635
proc_single_show+0xf0/0x180 fs/proc/base.c:755
seq_read+0x4ca/0x1110 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x490/0x640 fs/read_write.c:925
vfs_readv+0xf0/0x160 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x478/0x890 fs/splice.c:417
do_splice_to+0x127/0x180 fs/splice.c:881
splice_direct_to_actor+0x256/0x890 fs/splice.c:953
do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
do_sendfile+0x597/0xce0 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
__x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1494
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&p->lock){+.+.}:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
seq_read+0x71/0x1110 fs/seq_file.c:161
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
kernel_read+0xab/0x120 fs/read_write.c:431
prepare_binprm+0x6a2/0x940 fs/exec.c:1581
__do_execve_file.isra.0+0xf58/0x2150 fs/exec.c:1800
do_execveat_common fs/exec.c:1866 [inline]
do_execveat fs/exec.c:1894 [inline]
__do_sys_execveat fs/exec.c:1975 [inline]
__se_sys_execveat fs/exec.c:1967 [inline]
__x64_sys_execveat+0xed/0x130 fs/exec.c:1967
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sig->cred_guard_mutex);
lock(&p->lock);
lock(&sig->cred_guard_mutex);
lock(&p->lock);
*** DEADLOCK ***
1 lock held by syz-executor.4/9485:
#0: 00000000d0fce81a (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x55/0x120 fs/exec.c:1404
stack backtrace:
CPU: 0 PID: 9485 Comm: syz-executor.4 Not tainted 4.19.64 #38
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1861 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
seq_read+0x71/0x1110 fs/seq_file.c:161
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
kernel_read+0xab/0x120 fs/read_write.c:431
prepare_binprm+0x6a2/0x940 fs/exec.c:1581
__do_execve_file.isra.0+0xf58/0x2150 fs/exec.c:1800
do_execveat_common fs/exec.c:1866 [inline]
do_execveat fs/exec.c:1894 [inline]
__do_sys_execveat fs/exec.c:1975 [inline]
__se_sys_execveat fs/exec.c:1967 [inline]
__x64_sys_execveat+0xed/0x130 fs/exec.c:1967
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f295d52ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000001000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f295d52f6d4
R13: 00000000004bff30 R14: 00000000004d1de8 R15: 00000000ffffffff
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10379 comm=syz-executor.4
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
bond0: Error: Device is in use and cannot be enslaved
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10395 comm=syz-executor.4
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10516 comm=syz-executor.4
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43
sclass=netlink_route_socket pig=10638 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10640 comm=syz-executor.4
bond0: Error: Device is in use and cannot be enslaved
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=11013 comm=syz-executor.4
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000003c1ea05f): kobject_uevent_env
kobject: 'loop1' (000000003c1ea05f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=11027 comm=syz-executor.4
kobject: 'loop5' (00000000b1843b20): kobject_uevent_env
kobject: 'loop5' (00000000b1843b20): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d0d7805e): kobject_uevent_env
kobject: 'loop4' (00000000d0d7805e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000fdc5fd16): kobject_uevent_env
kobject: 'loop0' (00000000fdc5fd16): fill_kobj_path: path
= '/devices/virtual/block/loop0'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 11, 2020, 2:00:11 PM3/11/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 56920971 Linux 4.19.109
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=158e0af9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c73648903e665531
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f54e3f...@syzkaller.appspotmail.com
audit: type=1400 audit(1583949255.299:41): avc: denied { associate } for pid=8082 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
------------------------------------------------------
syz-executor.1/8367 is trying to acquire lock:
0000000077f0bd1e (&p->lock){+.+.}, at: seq_read+0x6b/0x10f0 fs/seq_file.c:161
but task is already holding lock:
00000000f11f8274 (sb_writers#4){.+.+}, at: file_start_write include/linux/fs.h:2775 [inline]
00000000f11f8274 (sb_writers#4){.+.+}, at: do_sendfile+0x939/0xc10 fs/read_write.c:1446
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (sb_writers#4){.+.+}:
sb_start_write include/linux/fs.h:1578 [inline]
mnt_want_write+0x3a/0xb0 fs/namespace.c:360
ovl_create_object+0x96/0x290 fs/overlayfs/dir.c:600
lookup_open+0x11f6/0x19b0 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1088
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&ovl_i_mutex_dir_key[depth]){++++}:
inode_lock_shared include/linux/fs.h:757 [inline]
do_last fs/namei.c:3326 [inline]
path_openat+0x1d18/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_open_execat+0x124/0x5b0 fs/exec.c:853
__do_execve_file.isra.0+0x1577/0x2110 fs/exec.c:1755
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (&sig->cred_guard_mutex){+.+.}:
lock_trace+0x45/0xe0 fs/proc/base.c:402
proc_pid_syscall+0x94/0x240 fs/proc/base.c:635
proc_single_show+0xeb/0x170 fs/proc/base.c:755
seq_read+0x4b9/0x10f0 fs/seq_file.c:229
vfs_readv+0xf0/0x160 fs/read_write.c:987
do_preadv+0x1b6/0x270 fs/read_write.c:1071
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a8/0x270 fs/splice.c:1068
do_sendfile+0x549/0xc10 fs/read_write.c:1447
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
&p->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#4
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sb_writers#4);
lock(&ovl_i_mutex_dir_key[depth]);
lock(sb_writers#4);
#0: 00000000f11f8274 (sb_writers#4){.+.+}, at: file_start_write include/linux/fs.h:2775 [inline]
#0: 00000000f11f8274 (sb_writers#4){.+.+}, at: do_sendfile+0x939/0xc10 fs/read_write.c:1446
stack backtrace:
CPU: 1 PID: 8367 Comm: syz-executor.1 Not tainted 4.19.109-syzkaller #0
print_circular_bug.isra.0.cold+0x1c4/0x282 kernel/locking/lockdep.c:1221
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a8/0x270 fs/splice.c:1068
do_sendfile+0x549/0xc10 fs/read_write.c:1447
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c6c9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f2a1c755c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f2a1c7566d4 RCX: 000000000045c6c9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000283 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d1 R14: 00000000004cb5d0 R15: 000000000076bf2c
overlayfs: failed to resolve './bus': -2
HEAD commit: 56920971 Linux 4.19.109
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=158e0af9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c73648903e665531
dashboard link: https://syzkaller.appspot.com/bug?extid=f54e3f04854769438c51
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f96ee3e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f54e3f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
======================================================
WARNING: possible circular locking dependency detected
4.19.109-syzkaller #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor.1/8367 is trying to acquire lock:
0000000077f0bd1e (&p->lock){+.+.}, at: seq_read+0x6b/0x10f0 fs/seq_file.c:161
but task is already holding lock:
00000000f11f8274 (sb_writers#4){.+.+}, at: do_sendfile+0x939/0xc10 fs/read_write.c:1446
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
sb_start_write include/linux/fs.h:1578 [inline]
mnt_want_write+0x3a/0xb0 fs/namespace.c:360
ovl_create_object+0x96/0x290 fs/overlayfs/dir.c:600
lookup_open+0x11f6/0x19b0 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x13cb/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_sys_open+0x3c0/0x500 fs/open.c:1088
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&ovl_i_mutex_dir_key[depth]){++++}:
inode_lock_shared include/linux/fs.h:757 [inline]
do_last fs/namei.c:3326 [inline]
path_openat+0x1d18/0x4200 fs/namei.c:3537
do_filp_open+0x1a1/0x280 fs/namei.c:3567
do_open_execat+0x124/0x5b0 fs/exec.c:853
__do_execve_file.isra.0+0x1577/0x2110 fs/exec.c:1755
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (&sig->cred_guard_mutex){+.+.}:
proc_pid_syscall+0x94/0x240 fs/proc/base.c:635
proc_single_show+0xeb/0x170 fs/proc/base.c:755
seq_read+0x4b9/0x10f0 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x46b/0x640 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xf0/0x160 fs/read_write.c:987
do_preadv+0x1b6/0x270 fs/read_write.c:1071
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&p->lock){+.+.}:
-> #0 (&p->lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
seq_read+0x6b/0x10f0 fs/seq_file.c:161
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x46b/0x640 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xf0/0x160 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x478/0x970 fs/splice.c:417
kernel_readv fs/splice.c:362 [inline]
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a8/0x270 fs/splice.c:1068
do_sendfile+0x549/0xc10 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
__x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1494
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
other info that might help us debug this:
&p->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#4
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ovl_i_mutex_dir_key[depth]);
lock(sb_writers#4);
lock(&p->lock);
*** DEADLOCK ***
1 lock held by syz-executor.1/8367:
*** DEADLOCK ***
#0: 00000000f11f8274 (sb_writers#4){.+.+}, at: file_start_write include/linux/fs.h:2775 [inline]
#0: 00000000f11f8274 (sb_writers#4){.+.+}, at: do_sendfile+0x939/0xc10 fs/read_write.c:1446
stack backtrace:
CPU: 1 PID: 8367 Comm: syz-executor.1 Not tainted 4.19.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_circular_bug.isra.0.cold+0x1c4/0x282 kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1861 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411
lock_acquire+0x170/0x400 kernel/locking/lockdep.c:3903
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
seq_read+0x6b/0x10f0 fs/seq_file.c:161
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x46b/0x640 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xf0/0x160 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x478/0x970 fs/splice.c:417
kernel_readv fs/splice.c:362 [inline]
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a8/0x270 fs/splice.c:1068
do_sendfile+0x549/0xc10 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
__x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1494
__se_sys_sendfile64 fs/read_write.c:1494 [inline]
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c6c9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f2a1c755c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f2a1c7566d4 RCX: 000000000045c6c9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000283 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d1 R14: 00000000004cb5d0 R15: 000000000076bf2c
overlayfs: failed to resolve './bus': -2
syzbot
Apr 3, 2021, 1:30:22 AM4/3/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 2034d6f0 Linux 4.19.184
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1190b45ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=42af7daace4bc0cc
dashboard link: https://syzkaller.appspot.com/bug?extid=f54e3f04854769438c51
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118c88fcd00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e9ea6ed00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
------------------------------------------------------
syz-executor033/9854 is trying to acquire lock:
00000000677b6950 (&p->lock){+.+.}, at: seq_read+0x6b/0x1160 fs/seq_file.c:161
but task is already holding lock:
00000000d744bf39 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
00000000d744bf39 (sb_writers#3){.+.+}, at: do_sendfile+0x97d/0xc30 fs/read_write.c:1446
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (sb_writers#3){.+.+}:
sb_start_write include/linux/fs.h:1579 [inline]
do_last fs/namei.c:3327 [inline]
path_openat+0x1094/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_last fs/namei.c:3326 [inline]
path_openat+0x17ec/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_open_execat+0x11d/0x5b0 fs/exec.c:853
__do_execve_file+0x1a8b/0x2360 fs/exec.c:1770
do_execveat_common fs/exec.c:1879 [inline]
do_execve+0x35/0x50 fs/exec.c:1896
__do_sys_execve fs/exec.c:1977 [inline]
__se_sys_execve fs/exec.c:1972 [inline]
__x64_sys_execve+0x7c/0xa0 fs/exec.c:1972
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (&sig->cred_guard_mutex){+.+.}:
do_io_accounting fs/proc/base.c:2737 [inline]
proc_tgid_io_accounting+0x1cf/0x7f0 fs/proc/base.c:2786
proc_single_show+0xeb/0x170 fs/proc/base.c:755
seq_read+0x4be/0x1160 fs/seq_file.c:229
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
seq_read+0x6b/0x1160 fs/seq_file.c:161
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
&p->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#3
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sb_writers#3);
lock(&ovl_i_mutex_dir_key[depth]);
lock(sb_writers#3);
#0: 00000000d744bf39 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
#0: 00000000d744bf39 (sb_writers#3){.+.+}, at: do_sendfile+0x97d/0xc30 fs/read_write.c:1446
stack backtrace:
CPU: 0 PID: 9854 Comm: syz-executor033 Not tainted 4.19.184-syzkaller #0
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1865 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
seq_read+0x6b/0x1160 fs/seq_file.c:161
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4461b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3ecd851278 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004cb4f0 RCX: 00000000004461b9
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 000000000049b0a8 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 000000000000f6c1 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 00007f3ecd851280 R14: 0079616c7265766f R15: 00000000004cb4f8
syz-executor033 (9856) used greatest stack depth: 23600 bytes left
HEAD commit: 2034d6f0 Linux 4.19.184
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1190b45ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=42af7daace4bc0cc
dashboard link: https://syzkaller.appspot.com/bug?extid=f54e3f04854769438c51
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118c88fcd00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e9ea6ed00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f54e3f...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.19.184-syzkaller #0 Not tainted
======================================================
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor033/9854 is trying to acquire lock:
00000000677b6950 (&p->lock){+.+.}, at: seq_read+0x6b/0x1160 fs/seq_file.c:161
but task is already holding lock:
00000000d744bf39 (sb_writers#3){.+.+}, at: do_sendfile+0x97d/0xc30 fs/read_write.c:1446
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
sb_start_write include/linux/fs.h:1579 [inline]
mnt_want_write+0x3a/0xb0 fs/namespace.c:360
ovl_create_object+0x96/0x290 fs/overlayfs/dir.c:600
lookup_open+0x893/0x1a20 fs/namei.c:3235
ovl_create_object+0x96/0x290 fs/overlayfs/dir.c:600
do_last fs/namei.c:3327 [inline]
path_openat+0x1094/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&ovl_i_mutex_dir_key[depth]){++++}:
inode_lock_shared include/linux/fs.h:758 [inline]
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&ovl_i_mutex_dir_key[depth]){++++}:
do_last fs/namei.c:3326 [inline]
path_openat+0x17ec/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_open_execat+0x11d/0x5b0 fs/exec.c:853
__do_execve_file+0x1a8b/0x2360 fs/exec.c:1770
do_execveat_common fs/exec.c:1879 [inline]
do_execve+0x35/0x50 fs/exec.c:1896
__do_sys_execve fs/exec.c:1977 [inline]
__se_sys_execve fs/exec.c:1972 [inline]
__x64_sys_execve+0x7c/0xa0 fs/exec.c:1972
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (&sig->cred_guard_mutex){+.+.}:
proc_tgid_io_accounting+0x1cf/0x7f0 fs/proc/base.c:2786
proc_single_show+0xeb/0x170 fs/proc/base.c:755
seq_read+0x4be/0x1160 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x471/0x630 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a7/0x270 fs/splice.c:1068
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&p->lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
-> #0 (&p->lock){+.+.}:
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
seq_read+0x6b/0x1160 fs/seq_file.c:161
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x471/0x630 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a7/0x270 fs/splice.c:1068
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
other info that might help us debug this:
&p->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#3
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ovl_i_mutex_dir_key[depth]);
lock(sb_writers#3);
lock(&p->lock);
*** DEADLOCK ***
1 lock held by syz-executor033/9854:
*** DEADLOCK ***
#0: 00000000d744bf39 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
#0: 00000000d744bf39 (sb_writers#3){.+.+}, at: do_sendfile+0x97d/0xc30 fs/read_write.c:1446
stack backtrace:
CPU: 0 PID: 9854 Comm: syz-executor033 Not tainted 4.19.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1865 [inline]
check_prevs_add kernel/locking/lockdep.c:1978 [inline]
validate_chain kernel/locking/lockdep.c:2419 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3415
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xd7/0x1260 kernel/locking/mutex.c:1072
seq_read+0x6b/0x1160 fs/seq_file.c:161
do_loop_readv_writev fs/read_write.c:701 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_read+0x471/0x630 fs/read_write.c:925
do_loop_readv_writev fs/read_write.c:688 [inline]
vfs_readv+0xe5/0x150 fs/read_write.c:987
kernel_readv fs/splice.c:362 [inline]
default_file_splice_read+0x457/0xa00 fs/splice.c:417
do_splice_to+0x10e/0x160 fs/splice.c:881
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_splice_direct+0x1a7/0x270 fs/splice.c:1068
splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959
do_sendfile+0x550/0xc30 fs/read_write.c:1447
__do_sys_sendfile64 fs/read_write.c:1508 [inline]
__se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4461b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3ecd851278 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004cb4f0 RCX: 00000000004461b9
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 000000000049b0a8 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 000000000000f6c1 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 00007f3ecd851280 R14: 0079616c7265766f R15: 00000000004cb4f8
syz-executor033 (9856) used greatest stack depth: 23600 bytes left
Reply all
Reply to author
Forward
0 new messages