possible deadlock in vfs_fallocate
7 views
Skip to first unread message
syzbot
Apr 21, 2019, 12:20:06 PM4/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ce2657200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=368834a2d8d850ed556f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134e3b6b200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13570618a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+368834...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1555861071.484:36): avc: denied { map } for
pid=7169 comm="syz-executor974" path="/root/syz-executor974282694"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1555861071.484:37): avc: denied { map } for
pid=7169 comm="syz-executor974" path="/dev/ashmem" dev="devtmpfs" ino=15231
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.113 #3 Not tainted
------------------------------------------------------
syz-executor974/7169 is trying to acquire lock:
(sb_writers#6){.+.+}, at: [<ffffffff818cb983>] file_start_write
include/linux/fs.h:2702 [inline]
(sb_writers#6){.+.+}, at: [<ffffffff818cb983>] vfs_fallocate+0x5d3/0x7a0
fs/open.c:318
but task is already holding lock:
(ashmem_mutex){+.+.}, at: [<ffffffff84a9c956>]
ashmem_shrink_scan+0x56/0x420 drivers/staging/android/ashmem.c:454
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (ashmem_mutex){+.+.}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
ashmem_mmap+0x55/0x490 drivers/staging/android/ashmem.c:369
call_mmap include/linux/fs.h:1779 [inline]
mmap_region+0x858/0x1030 mm/mmap.c:1722
do_mmap+0x5b8/0xcd0 mm/mmap.c:1500
do_mmap_pgoff include/linux/mm.h:2165 [inline]
vm_mmap_pgoff+0x17a/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1550 [inline]
SyS_mmap_pgoff+0x3ca/0x520 mm/mmap.c:1508
SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
-> #1 (&mm->mmap_sem){++++}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__might_fault mm/memory.c:4578 [inline]
__might_fault+0x143/0x1d0 mm/memory.c:4563
_copy_from_user+0x2c/0x110 lib/usercopy.c:10
copy_from_user include/linux/uaccess.h:147 [inline]
setxattr+0x153/0x350 fs/xattr.c:438
path_setxattr+0x11f/0x140 fs/xattr.c:472
SYSC_lsetxattr fs/xattr.c:494 [inline]
SyS_lsetxattr+0x38/0x50 fs/xattr.c:490
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
-> #0 (sb_writers#6){.+.+}:
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36
[inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x1ae/0x2f0 fs/super.c:1363
file_start_write include/linux/fs.h:2702 [inline]
vfs_fallocate+0x5d3/0x7a0 fs/open.c:318
ashmem_shrink_scan drivers/staging/android/ashmem.c:461 [inline]
ashmem_shrink_scan+0x181/0x420 drivers/staging/android/ashmem.c:445
ashmem_ioctl+0x28f/0xf10 drivers/staging/android/ashmem.c:803
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
other info that might help us debug this:
Chain exists of:
sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(ashmem_mutex);
lock(&mm->mmap_sem);
lock(ashmem_mutex);
lock(sb_writers#6);
*** DEADLOCK ***
1 lock held by syz-executor974/7169:
#0: (ashmem_mutex){+.+.}, at: [<ffffffff84a9c956>]
ashmem_shrink_scan+0x56/0x420 drivers/staging/android/ashmem.c:454
stack backtrace:
CPU: 0 PID: 7169 Comm: syz-executor974 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x1ae/0x2f0 fs/super.c:1363
file_start_write include/linux/fs.h:2702 [inline]
vfs_fallocate+0x5d3/0x7a0 fs/open.c:318
ashmem_shrink_scan drivers/staging/android/ashmem.c:461 [inline]
ashmem_shrink_scan+0x181/0x420 drivers/staging/android/ashmem.c:445
ashmem_ioctl+0x28f/0xf10 drivers/staging/android/ashmem.c:803
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4401c9
RSP: 002b:00007fff190b9688 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ce2657200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=368834a2d8d850ed556f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134e3b6b200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13570618a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+368834...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1555861071.484:36): avc: denied { map } for
pid=7169 comm="syz-executor974" path="/root/syz-executor974282694"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1555861071.484:37): avc: denied { map } for
pid=7169 comm="syz-executor974" path="/dev/ashmem" dev="devtmpfs" ino=15231
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.113 #3 Not tainted
------------------------------------------------------
syz-executor974/7169 is trying to acquire lock:
(sb_writers#6){.+.+}, at: [<ffffffff818cb983>] file_start_write
include/linux/fs.h:2702 [inline]
(sb_writers#6){.+.+}, at: [<ffffffff818cb983>] vfs_fallocate+0x5d3/0x7a0
fs/open.c:318
but task is already holding lock:
(ashmem_mutex){+.+.}, at: [<ffffffff84a9c956>]
ashmem_shrink_scan+0x56/0x420 drivers/staging/android/ashmem.c:454
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (ashmem_mutex){+.+.}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
ashmem_mmap+0x55/0x490 drivers/staging/android/ashmem.c:369
call_mmap include/linux/fs.h:1779 [inline]
mmap_region+0x858/0x1030 mm/mmap.c:1722
do_mmap+0x5b8/0xcd0 mm/mmap.c:1500
do_mmap_pgoff include/linux/mm.h:2165 [inline]
vm_mmap_pgoff+0x17a/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1550 [inline]
SyS_mmap_pgoff+0x3ca/0x520 mm/mmap.c:1508
SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
-> #1 (&mm->mmap_sem){++++}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__might_fault mm/memory.c:4578 [inline]
__might_fault+0x143/0x1d0 mm/memory.c:4563
_copy_from_user+0x2c/0x110 lib/usercopy.c:10
copy_from_user include/linux/uaccess.h:147 [inline]
setxattr+0x153/0x350 fs/xattr.c:438
path_setxattr+0x11f/0x140 fs/xattr.c:472
SYSC_lsetxattr fs/xattr.c:494 [inline]
SyS_lsetxattr+0x38/0x50 fs/xattr.c:490
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
-> #0 (sb_writers#6){.+.+}:
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36
[inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x1ae/0x2f0 fs/super.c:1363
file_start_write include/linux/fs.h:2702 [inline]
vfs_fallocate+0x5d3/0x7a0 fs/open.c:318
ashmem_shrink_scan drivers/staging/android/ashmem.c:461 [inline]
ashmem_shrink_scan+0x181/0x420 drivers/staging/android/ashmem.c:445
ashmem_ioctl+0x28f/0xf10 drivers/staging/android/ashmem.c:803
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
other info that might help us debug this:
Chain exists of:
sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(ashmem_mutex);
lock(&mm->mmap_sem);
lock(ashmem_mutex);
lock(sb_writers#6);
*** DEADLOCK ***
1 lock held by syz-executor974/7169:
#0: (ashmem_mutex){+.+.}, at: [<ffffffff84a9c956>]
ashmem_shrink_scan+0x56/0x420 drivers/staging/android/ashmem.c:454
stack backtrace:
CPU: 0 PID: 7169 Comm: syz-executor974 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x1ae/0x2f0 fs/super.c:1363
file_start_write include/linux/fs.h:2702 [inline]
vfs_fallocate+0x5d3/0x7a0 fs/open.c:318
ashmem_shrink_scan drivers/staging/android/ashmem.c:461 [inline]
ashmem_shrink_scan+0x181/0x420 drivers/staging/android/ashmem.c:445
ashmem_ioctl+0x28f/0xf10 drivers/staging/android/ashmem.c:803
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4401c9
RSP: 002b:00007fff190b9688 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages