witness: reversal: vmmaplk inode

5 views
Skip to first unread message

syzbot

unread,
Jan 25, 2019, 2:16:04 AM1/25/19
to syzkaller-o...@googlegroups.com
Hello,

syzbot found the following crash on:

HEAD commit: 6f9e9be94f66 sort output suffixes
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=155214b8c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
dashboard link: https://syzkaller.appspot.com/bug?extid=0ab93519af8f3dbfb136
compiler:

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0ab935...@syzkaller.appspotmail.com

login: lock order reversal:
1st 0xfffffd807f00d9f0 vmmaplk (&map->lock) @
/syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442
2nd 0xfffffd8069dc9e68 inode (&ip->i_lock) @
/syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547
lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at:
#0 witness_checkorder+0x6d8
#1 _rw_enter+0xbf
#2 vm_map_lock_ln+0x14e
#3 uvm_map+0x2e2
#4 km_alloc+0x19a
#5 pool_multi_alloc_ni+0xe4
#6 pool_p_alloc+0x70
#7 pool_do_get+0x127
#8 pool_get+0x104
#9 ufsdirhash_build+0x40b
#10 ufs_lookup+0x2a5
#11 VOP_LOOKUP+0x63
#12 vfs_lookup+0x552
#13 namei+0x4af
#14 start_init+0xd6
lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at:
#0 witness_checkorder+0x6d8
#1 _rw_enter+0xbf
#2 _rrw_enter+0x5c
#3 VOP_LOCK+0x55
#4 vn_lock+0x6e
#5 uvn_io+0x2ca
#6 uvn_get+0x206
#7 uvm_fault+0x12c1
#8 uvm_fault_wire+0x70
#9 uvm_map_pageable_wire+0x2fd
#10 sys_mlock+0x187
#11 syscall+0x5a0
#12 Xsyscall+0x128
Stopped at db_enter+0x18: addq $0x8,%rsp
ddb{1}>
ddb{1}> set $lines = 0
ddb{1}> show panic
the kernel did not panic
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
witness_checkorder(6dd17dc74a701eaa,81,fffffd8069dc9e58,fffffd8069dc9e58,0)
at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543
[inline]
witness_checkorder(6dd17dc74a701eaa,81,fffffd8069dc9e58,fffffd8069dc9e58,0)
at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089
_rw_enter(6fa38a843c292a30,60b,fffffd8069dc9e58,ffffffff81ee040a) at
_rw_enter+0xbf
_rrw_enter(c2256cfed570c526,fffffd807dff7ec8,ffffffff8125c1f0,0) at
_rrw_enter+0x5c sys/kern/kern_rwlock.c:410
VOP_LOCK(2b6d136fefb12e46,fffffd807dff7ec8) at VOP_LOCK+0x55
sys/kern/vfs_vops.c:598
vn_lock(802146b15fcc059a,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549
uvn_io(cab2147d694bf04a,0,0,fffffd80682470a8,0) at uvn_io+0x2ca
sys/uvm/uvm_vnode.c:1188
uvn_get(45b577dbd4ace9cc,ffffffff81df4b90,fffffd80682470a8,fffffd806b584418,0,1)
at
uvn_get+0x206 sys/uvm/uvm_vnode.c:1048
uvm_fault(9a65425dcf3dc953,2000e000,0,1) at uvm_fault+0x12c1
sys/uvm/uvm_fault.c:1023
uvm_fault_wire(e78623c7a62600cc,1,2000e000,fffffd806b584418) at
uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293
uvm_map_pageable_wire(74079f66c1c03b53,20801000,20001000,800000,fffffd807f00d9d8,800000)
at
uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258
sys_mlock(ffb3d8d67976bac5,10,ffff800020b924c8) at sys_mlock+0x187
sys/uvm/uvm_mmap.c:740
syscall(c2256cfed5f69df7) at syscall+0x5a0 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(c2256cfed5f69df7) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,ffffffffffffffa1,0,2,b07df1f5010) at Xsyscall+0x128
end of kernel
end trace frame: 0xb0accd81840, count: -14
ddb{1}> show registers
rdi 0x3
rsi 0x3ffff acpi_pdirpa+0x2be67
rbp 0xffff800020c5f1f0
rbx 0x3
rdx 0x40000 acpi_pdirpa+0x2be68
rcx 0xffff800001947000
rax 0xffff800001946440
r8 0xffffffff81c2c0ff witness_checkorder+0x12cf
r9 0x5
r10 0xfd836cc0497e8b36
r11 0x4c2729f8cc5035
r12 0xfffffd80025cec30
r13 0xffffffff81ebdb3f cmd0646_9_tim_udma+0xa8ca
r14 0xffffffff82290ee0 w_lodata+0x48b40
r15 0xffffffff8229e1f0 w_lodata+0x55e50
rip 0xffffffff817aed68 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c5f1e0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor0) pid=83026 stat=onproc
flags process=10<SUGID> proc=4000000<THREAD>
pri=86, usrpri=86, nice=20
forw=0xffffffffffffffff, list=0xffff800020b93c38,0xffffffff82307ab0
process=0xffff800020bcad38 user=0xffff800020c5a000,
vmspace=0xfffffd807f00d9d8
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{1}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
16624 103159 66908 32767 7 0x10 syz-executor0
*16624 83026 66908 32767 7 0x4000010 syz-executor0
66908 197331 23116 32767 3 0x90 nanosleep syz-executor0
23116 136779 93973 0 3 0x82 wait syz-executor0
16429 136074 59005 32767 3 0x90 nanosleep syz-executor1
59005 21359 93973 0 3 0x82 wait syz-executor1
36430 520597 0 0 3 0x14200 bored sosplice
93973 202035 82989 0 3 0x82 thrsleep syz-fuzzer
93973 493225 82989 0 3 0x4000082 nanosleep syz-fuzzer
93973 75372 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 14892 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 201709 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 486231 82989 0 3 0x4000082 kqread syz-fuzzer
93973 489010 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 16519 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 226203 82989 0 3 0x4000082 thrsleep syz-fuzzer
93973 188076 82989 0 3 0x4000082 thrsleep syz-fuzzer
82989 216880 84954 0 3 0x10008a pause ksh
84954 81275 53543 0 3 0x92 select sshd
47808 473426 1 0 3 0x100083 ttyin getty
53543 332812 1 0 3 0x80 select sshd
45451 374218 45662 73 2 0x100090 syslogd
45662 491218 1 0 3 0x100082 netio syslogd
72189 279069 1 77 3 0x100090 poll dhclient
1212 278122 1 0 3 0x80 poll dhclient
9769 49931 0 0 2 0x14200 zerothread
85604 274939 0 0 3 0x14200 aiodoned aiodoned
92159 44259 0 0 3 0x14200 syncer update
74710 406891 0 0 3 0x14200 cleaner cleaner
87550 426171 0 0 3 0x14200 reaper reaper
36235 275247 0 0 3 0x14200 pgdaemon pagedaemon
26276 160937 0 0 3 0x14200 bored crynlk
90999 276468 0 0 3 0x14200 bored crypto
25858 363501 0 0 3 0x40014200 acpi0 acpi0
9413 377275 0 0 3 0x40014200 idle1
3246 452782 0 0 3 0x14200 bored softnet
42083 342771 0 0 3 0x14200 bored systqmp
84083 315508 0 0 3 0x14200 bored systq
16502 370165 0 0 3 0x40014200 bored softclock
70756 120747 0 0 3 0x40014200 idle0
1 253388 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.

syzbot

unread,
Jan 25, 2019, 2:36:03 AM1/25/19
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:

HEAD commit: 6f9e9be94f66 sort output suffixes
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=135a73cf400000
kernel config: https://syzkaller.appspot.com/x/.config?x=3303344588104330
dashboard link: https://syzkaller.appspot.com/bug?extid=0ab93519af8f3dbfb136
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e7b4c0c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b88b90c00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0ab935...@syzkaller.appspotmail.com

lock order reversal:
1st 0xfffffd806e920728 vmmaplk (&map->lock) @
/syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442
2nd 0xfffffd806dd58d60 inode (&ip->i_lock) @
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
witness_checkorder(783d89990ce68da3,81,fffffd806dd58d50,fffffd806dd58d50,0)
at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543
[inline]
witness_checkorder(783d89990ce68da3,81,fffffd806dd58d50,fffffd806dd58d50,0)
at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089
_rw_enter(f9e5e3fa391ccb08,60b,fffffd806dd58d50,ffffffff81ee040a) at
_rw_enter+0xbf
_rrw_enter(168d5318f85792db,fffffd806dc2b3f0,ffffffff8125c1f0,0) at
_rrw_enter+0x5c sys/kern/kern_rwlock.c:410
VOP_LOCK(78b6b976a3b6b5c1,fffffd806dc2b3f0) at VOP_LOCK+0x55
sys/kern/vfs_vops.c:598
vn_lock(5821da352c9d35c5,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549
uvn_io(85cae18007ba5493,0,0,fffffd807a51d680,0) at uvn_io+0x2ca
sys/uvm/uvm_vnode.c:1188
uvn_get(e4a40bb9d3e892ea,ffffffff81df4b90,fffffd807a51d680,fffffd806f1cfc80,0,1)
at
uvn_get+0x206 sys/uvm/uvm_vnode.c:1048
uvm_fault(cb16dea21491fcb7,2000e000,0,1) at uvm_fault+0x12c1
sys/uvm/uvm_fault.c:1023
uvm_fault_wire(8521360ee27bcf62,1,2000e000,fffffd806f1cfc80) at
uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293
uvm_map_pageable_wire(8495b2850821b61d,20801000,20001000,284f6555,fffffd806e920710,800000)
at
uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258
sys_mlock(d4e5009c897ac93d,2,ffff800020be4e20) at sys_mlock+0x187
sys/uvm/uvm_mmap.c:740
syscall(168d5318f8d1ca0a) at syscall+0x5a0 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(168d5318f8d1ca0a) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,7f7fffff09d8,0,1,7f7fffff09e8) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7fffff0970, count: -14
ddb{0}> show registers
rdi 0x3
rsi 0xffffffff821a8f48
__sancov_gen_cov_switch_values.125+0x28rbp 0xffff800020bff360
rbx 0x3
rdx 0x8b
rcx 0x3
rax 0
r8 0xffffffff81c2c0ff witness_checkorder+0x12cf
r9 0x5
r10 0xfdbdf5c90bbb5cbe
r11 0x2b1aff6308c023cd
r12 0xfffffd80025cec30
r13 0xffffffff81ebdb3f cmd0646_9_tim_udma+0xa8ca
r14 0xffffffff82299230 w_lodata+0x50e90
r15 0xffffffff8229e1f0 w_lodata+0x55e50
rip 0xffffffff817aed68 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020bff350
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor2481) pid=291407 stat=onproc
flags process=2<EXEC> proc=0
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020be4268,0xffffffff82307ab0
process=0xffff800020bca360 user=0xffff800020bfa000,
vmspace=0xfffffd806e920710
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*64758 291407 22935 0 7 0x2 syz-executor2481
22935 472110 87886 0 3 0x10008a pause ksh
87886 238231 20806 0 3 0x92 select sshd
7267 455628 1 0 3 0x100083 ttyin getty
20806 465556 1 0 3 0x80 select sshd
988 74643 36562 73 7 0x100090 syslogd
36562 191413 1 0 3 0x100082 netio syslogd
61160 35837 1 77 3 0x100090 poll dhclient
55573 68993 1 0 3 0x80 poll dhclient
36315 44829 0 0 3 0x14200 pgzero zerothread
27181 229231 0 0 3 0x14200 aiodoned aiodoned
45888 237598 0 0 3 0x14200 syncer update
1991 237630 0 0 3 0x14200 cleaner cleaner
59872 515262 0 0 3 0x14200 reaper reaper
88946 315490 0 0 3 0x14200 pgdaemon pagedaemon
64287 164955 0 0 3 0x14200 bored crynlk
45944 178539 0 0 3 0x14200 bored crypto
27440 465585 0 0 3 0x40014200 acpi0 acpi0
95886 371008 0 0 3 0x40014200 idle1
41437 353173 0 0 3 0x14200 bored softnet
95943 116970 0 0 3 0x14200 bored systqmp
21947 56787 0 0 3 0x14200 bored systq
9096 195365 0 0 3 0x40014200 bored softclock
75281 111273 0 0 3 0x40014200 idle0
1 168460 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}>

Anton Lindqvist

unread,
Dec 18, 2019, 8:50:46 AM12/18/19
to syzbot, syzkaller-o...@googlegroups.com
#syz fix: Use separate rwlock initializations for userland ("vmspace") and kernel maps. This lets witness know that these really are different classes avoiding false positives when detecting lock order reversals.
Reply all
Reply to author
Forward
0 new messages