[syzbot] [netfs?] possible deadlock in lock_mm_and_find_vma (2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

syzbot found the following issue on:

HEAD commit:    5be63fc19fca Linux 6.11-rc5
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d8b247980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f29704545d454ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=b02bbe0ff80a09a08c1b
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-5be63fc1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64065b3c02ed/vmlinux-5be63fc1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aef4258dcb3f/bzImage-5be63fc1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b02bbe0ff80a09a08c1b@xxxxxxxxxxxxxxxxxxxxxxxxx

======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
syz.2.1318/10014 is trying to acquire lock:
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5878 [inline]
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929

but task is already holding lock:
ffff8880302e8b70 (&ctx->wb_lock){+.+.}-{3:3}, at: netfs_begin_writethrough+0x6c/0x3c0 fs/netfs/write_issue.c:572

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ctx->wb_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
       netfs_writepages+0x5e1/0xdd0 fs/netfs/write_issue.c:509
       do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
       filemap_fdatawrite_wbc mm/filemap.c:397 [inline]
       filemap_fdatawrite_wbc+0x148/0x1c0 mm/filemap.c:387
       v9fs_mmap_vm_close+0x213/0x260 fs/9p/vfs_file.c:502
       remove_vma+0x8b/0x180 mm/mmap.c:182
       remove_mt mm/mmap.c:2415 [inline]
       do_vmi_align_munmap+0x1272/0x19c0 mm/mmap.c:2758
       do_vmi_munmap+0x231/0x410 mm/mmap.c:2830
       mmap_region+0x17f/0x2760 mm/mmap.c:2881
       do_mmap+0xbfb/0xfb0 mm/mmap.c:1468
       vm_mmap_pgoff+0x1ba/0x360 mm/util.c:588
       ksys_mmap_pgoff+0x332/0x5d0 mm/mmap.c:1514
       __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
       __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
       __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&mm->mmap_lock){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
       lock_acquire kernel/locking/lockdep.c:5759 [inline]
       lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
       down_read_killable+0x9d/0x380 kernel/locking/rwsem.c:1549
       mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
       get_mmap_lock_carefully mm/memory.c:5878 [inline]
       lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929
       do_user_addr_fault+0x2b5/0x13f0 arch/x86/mm/fault.c:1361
       handle_page_fault arch/x86/mm/fault.c:1481 [inline]
       exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
       asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
       fault_in_readable+0x126/0x230 mm/gup.c:2244
       fault_in_iov_iter_readable+0x101/0x2c0 lib/iov_iter.c:94
       netfs_perform_write+0x3ef/0x2250 fs/netfs/buffered_write.c:240
       netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:470
       netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:509
       v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
       aio_write+0x3c1/0x8e0 fs/aio.c:1633
       __io_submit_one fs/aio.c:2005 [inline]
       io_submit_one+0x124e/0x1db0 fs/aio.c:2052
       __do_sys_io_submit fs/aio.c:2111 [inline]
       __se_sys_io_submit fs/aio.c:2081 [inline]
       __x64_sys_io_submit+0x19d/0x330 fs/aio.c:2081
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ctx->wb_lock);
                               lock(&mm->mmap_lock);
                               lock(&ctx->wb_lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

2 locks held by syz.2.1318/10014:
 #0: ffff8880302e87b8 (&sb->s_type->i_mutex_key#25){++++}-{3:3}, at: netfs_start_io_write+0x1f/0x70 fs/netfs/locking.c:118
 #1: ffff8880302e8b70 (&ctx->wb_lock){+.+.}-{3:3}, at: netfs_begin_writethrough+0x6c/0x3c0 fs/netfs/write_issue.c:572

stack backtrace:
CPU: 1 UID: 0 PID: 10014 Comm: syz.2.1318 Not tainted 6.11.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2186
 check_prev_add kernel/locking/lockdep.c:3133 [inline]
 check_prevs_add kernel/locking/lockdep.c:3252 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
 lock_acquire kernel/locking/lockdep.c:5759 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
 down_read_killable+0x9d/0x380 kernel/locking/rwsem.c:1549
 mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
 get_mmap_lock_carefully mm/memory.c:5878 [inline]
 lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929
 do_user_addr_fault+0x2b5/0x13f0 arch/x86/mm/fault.c:1361
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:fault_in_readable+0x126/0x230 mm/gup.c:2244
Code: f7 bc ff 48 39 dd 0f 84 f0 00 00 00 45 31 f6 eb 11 e8 6e f7 bc ff 48 81 c3 00 10 00 00 48 39 eb 74 1d e8 5d f7 bc ff 45 89 f7 <8a> 03 31 ff 44 89 fe 88 44 24 28 e8 8a f9 bc ff 45 85 ff 74 d2 e8
RSP: 0018:ffffc900032d7650 EFLAGS: 00050287
RAX: 0000000000030b60 RBX: 0000000020005000 RCX: ffffc900040f9000
RDX: 0000000000040000 RSI: ffffffff81cd8213 RDI: 0000000000000005
RBP: 0000000020006000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: 0000000020004180 R14: 0000000000000000 R15: 0000000000000000
 fault_in_iov_iter_readable+0x101/0x2c0 lib/iov_iter.c:94
 netfs_perform_write+0x3ef/0x2250 fs/netfs/buffered_write.c:240
 netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:470
 netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:509
 v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
 aio_write+0x3c1/0x8e0 fs/aio.c:1633
 __io_submit_one fs/aio.c:2005 [inline]
 io_submit_one+0x124e/0x1db0 fs/aio.c:2052
 __do_sys_io_submit fs/aio.c:2111 [inline]
 __se_sys_io_submit fs/aio.c:2081 [inline]
 __x64_sys_io_submit+0x19d/0x330 fs/aio.c:2081
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f86fd779e79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86fe526038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f86fd915f80 RCX: 00007f86fd779e79
RDX: 0000000020000700 RSI: 000000000000140b RDI: 00007f86fe4fe000
RBP: 00007f86fd7e793e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f86fd915f80 R15: 00007ffe70f66888
 </TASK>
input: syz0 as /devices/virtual/input/input13
netlink: 'syz.2.1318': attribute type 2 has an invalid length.
netlink: 'syz.2.1318': attribute type 1 has an invalid length.
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	bc ff 48 39 dd       	mov    $0xdd3948ff,%esp
   5:	0f 84 f0 00 00 00    	je     0xfb
   b:	45 31 f6             	xor    %r14d,%r14d
   e:	eb 11                	jmp    0x21
  10:	e8 6e f7 bc ff       	call   0xffbcf783
  15:	48 81 c3 00 10 00 00 	add    $0x1000,%rbx
  1c:	48 39 eb             	cmp    %rbp,%rbx
  1f:	74 1d                	je     0x3e
  21:	e8 5d f7 bc ff       	call   0xffbcf783
  26:	45 89 f7             	mov    %r14d,%r15d
* 29:	8a 03                	mov    (%rbx),%al <-- trapping instruction
  2b:	31 ff                	xor    %edi,%edi
  2d:	44 89 fe             	mov    %r15d,%esi
  30:	88 44 24 28          	mov    %al,0x28(%rsp)
  34:	e8 8a f9 bc ff       	call   0xffbcf9c3
  39:	45 85 ff             	test   %r15d,%r15d
  3c:	74 d2                	je     0x10
  3e:	e8                   	.byte 0xe8


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux