From: syzbot <syzbot+b02bbe0ff80a09a08c1b@syzkaller.appspotmail.com>
To: dhowells@redhat.com, jlayton@kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
netfs@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [netfs?] possible deadlock in lock_mm_and_find_vma (2)
Date: Fri, 30 Aug 2024 21:17:22 -0700 [thread overview]
Message-ID: <0000000000000a78120620f2fc2b@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 5be63fc19fca Linux 6.11-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d8b247980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f29704545d454ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=b02bbe0ff80a09a08c1b
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-5be63fc1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64065b3c02ed/vmlinux-5be63fc1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aef4258dcb3f/bzImage-5be63fc1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b02bbe0ff80a09a08c1b@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
syz.2.1318/10014 is trying to acquire lock:
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5878 [inline]
ffff88802b6b2798 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929
but task is already holding lock:
ffff8880302e8b70 (&ctx->wb_lock){+.+.}-{3:3}, at: netfs_begin_writethrough+0x6c/0x3c0 fs/netfs/write_issue.c:572
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ctx->wb_lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
netfs_writepages+0x5e1/0xdd0 fs/netfs/write_issue.c:509
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
filemap_fdatawrite_wbc mm/filemap.c:397 [inline]
filemap_fdatawrite_wbc+0x148/0x1c0 mm/filemap.c:387
v9fs_mmap_vm_close+0x213/0x260 fs/9p/vfs_file.c:502
remove_vma+0x8b/0x180 mm/mmap.c:182
remove_mt mm/mmap.c:2415 [inline]
do_vmi_align_munmap+0x1272/0x19c0 mm/mmap.c:2758
do_vmi_munmap+0x231/0x410 mm/mmap.c:2830
mmap_region+0x17f/0x2760 mm/mmap.c:2881
do_mmap+0xbfb/0xfb0 mm/mmap.c:1468
vm_mmap_pgoff+0x1ba/0x360 mm/util.c:588
ksys_mmap_pgoff+0x332/0x5d0 mm/mmap.c:1514
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&mm->mmap_lock){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
lock_acquire kernel/locking/lockdep.c:5759 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
down_read_killable+0x9d/0x380 kernel/locking/rwsem.c:1549
mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
get_mmap_lock_carefully mm/memory.c:5878 [inline]
lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929
do_user_addr_fault+0x2b5/0x13f0 arch/x86/mm/fault.c:1361
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
fault_in_readable+0x126/0x230 mm/gup.c:2244
fault_in_iov_iter_readable+0x101/0x2c0 lib/iov_iter.c:94
netfs_perform_write+0x3ef/0x2250 fs/netfs/buffered_write.c:240
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:470
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:509
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
aio_write+0x3c1/0x8e0 fs/aio.c:1633
__io_submit_one fs/aio.c:2005 [inline]
io_submit_one+0x124e/0x1db0 fs/aio.c:2052
__do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit fs/aio.c:2081 [inline]
__x64_sys_io_submit+0x19d/0x330 fs/aio.c:2081
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ctx->wb_lock);
lock(&mm->mmap_lock);
lock(&ctx->wb_lock);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz.2.1318/10014:
#0: ffff8880302e87b8 (&sb->s_type->i_mutex_key#25){++++}-{3:3}, at: netfs_start_io_write+0x1f/0x70 fs/netfs/locking.c:118
#1: ffff8880302e8b70 (&ctx->wb_lock){+.+.}-{3:3}, at: netfs_begin_writethrough+0x6c/0x3c0 fs/netfs/write_issue.c:572
stack backtrace:
CPU: 1 UID: 0 PID: 10014 Comm: syz.2.1318 Not tainted 6.11.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2186
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
lock_acquire kernel/locking/lockdep.c:5759 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
down_read_killable+0x9d/0x380 kernel/locking/rwsem.c:1549
mmap_read_lock_killable include/linux/mmap_lock.h:153 [inline]
get_mmap_lock_carefully mm/memory.c:5878 [inline]
lock_mm_and_find_vma+0x3a9/0x6a0 mm/memory.c:5929
do_user_addr_fault+0x2b5/0x13f0 arch/x86/mm/fault.c:1361
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:fault_in_readable+0x126/0x230 mm/gup.c:2244
Code: f7 bc ff 48 39 dd 0f 84 f0 00 00 00 45 31 f6 eb 11 e8 6e f7 bc ff 48 81 c3 00 10 00 00 48 39 eb 74 1d e8 5d f7 bc ff 45 89 f7 <8a> 03 31 ff 44 89 fe 88 44 24 28 e8 8a f9 bc ff 45 85 ff 74 d2 e8
RSP: 0018:ffffc900032d7650 EFLAGS: 00050287
RAX: 0000000000030b60 RBX: 0000000020005000 RCX: ffffc900040f9000
RDX: 0000000000040000 RSI: ffffffff81cd8213 RDI: 0000000000000005
RBP: 0000000020006000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000001000
R13: 0000000020004180 R14: 0000000000000000 R15: 0000000000000000
fault_in_iov_iter_readable+0x101/0x2c0 lib/iov_iter.c:94
netfs_perform_write+0x3ef/0x2250 fs/netfs/buffered_write.c:240
netfs_buffered_write_iter_locked+0x213/0x2c0 fs/netfs/buffered_write.c:470
netfs_file_write_iter+0x1e0/0x470 fs/netfs/buffered_write.c:509
v9fs_file_write_iter+0xa1/0x100 fs/9p/vfs_file.c:407
aio_write+0x3c1/0x8e0 fs/aio.c:1633
__io_submit_one fs/aio.c:2005 [inline]
io_submit_one+0x124e/0x1db0 fs/aio.c:2052
__do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit fs/aio.c:2081 [inline]
__x64_sys_io_submit+0x19d/0x330 fs/aio.c:2081
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f86fd779e79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86fe526038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f86fd915f80 RCX: 00007f86fd779e79
RDX: 0000000020000700 RSI: 000000000000140b RDI: 00007f86fe4fe000
RBP: 00007f86fd7e793e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f86fd915f80 R15: 00007ffe70f66888
</TASK>
input: syz0 as /devices/virtual/input/input13
netlink: 'syz.2.1318': attribute type 2 has an invalid length.
netlink: 'syz.2.1318': attribute type 1 has an invalid length.
----------------
Code disassembly (best guess), 1 bytes skipped:
0: bc ff 48 39 dd mov $0xdd3948ff,%esp
5: 0f 84 f0 00 00 00 je 0xfb
b: 45 31 f6 xor %r14d,%r14d
e: eb 11 jmp 0x21
10: e8 6e f7 bc ff call 0xffbcf783
15: 48 81 c3 00 10 00 00 add $0x1000,%rbx
1c: 48 39 eb cmp %rbp,%rbx
1f: 74 1d je 0x3e
21: e8 5d f7 bc ff call 0xffbcf783
26: 45 89 f7 mov %r14d,%r15d
* 29: 8a 03 mov (%rbx),%al <-- trapping instruction
2b: 31 ff xor %edi,%edi
2d: 44 89 fe mov %r15d,%esi
30: 88 44 24 28 mov %al,0x28(%rsp)
34: e8 8a f9 bc ff call 0xffbcf9c3
39: 45 85 ff test %r15d,%r15d
3c: 74 d2 je 0x10
3e: e8 .byte 0xe8
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-08-31 4:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-31 4:17 syzbot [this message]
2024-09-06 14:34 ` [syzbot] [netfs?] possible deadlock in lock_mm_and_find_vma (2) David Howells
2024-10-03 23:54 ` [syzbot] [mm?] " syzbot
2024-11-04 13:11 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000000a78120620f2fc2b@google.com \
--to=syzbot+b02bbe0ff80a09a08c1b@syzkaller.appspotmail.com \
--cc=dhowells@redhat.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfs@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.