[syzbot] [mm?] possible deadlock in lock_vma

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+27f783f9d240834c9d44@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, axelrasmussen@google.com,
	brauner@kernel.org,  linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,  linux-mm@kvack.org,
	lokeshgidra@google.com, mirq-linux@rere.qmqm.pl,
	 peterx@redhat.com, rppt@kernel.org,
	syzkaller-bugs@googlegroups.com,  viro@zeniv.linux.org.uk
Subject: [syzbot] [mm?] possible deadlock in lock_vma
Date: Thu, 15 Feb 2024 22:07:27 -0800	[thread overview]
Message-ID: <000000000000fc6b2c0611798e90@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    ae00c445390b Add linux-next specific files for 20240212
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17478592180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4eb3a27eddb32a14
dashboard link: https://syzkaller.appspot.com/bug?extid=27f783f9d240834c9d44
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17406e42180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111cb500180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b2a2d0b511f/disk-ae00c445.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a668a09c9d03/vmlinux-ae00c445.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4ad623928692/bzImage-ae00c445.xz

The issue was bisected to:

commit 31d97016c80a83daa4c938014c81282810a14773
Author: Lokesh Gidra <lokeshgidra@google.com>
Date:   Thu Feb 8 21:22:04 2024 +0000

    userfaultfd: use per-vma locks in userfaultfd operations

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=129ff100180000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=119ff100180000
console output: https://syzkaller.appspot.com/x/log.txt?x=169ff100180000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+27f783f9d240834c9d44@syzkaller.appspotmail.com
Fixes: 31d97016c80a ("userfaultfd: use per-vma locks in userfaultfd operations")

======================================================
WARNING: possible circular locking dependency detected
6.8.0-rc4-next-20240212-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor800/5064 is trying to acquire lock:
ffff888021d401a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
ffff888021d401a0 (&mm->mmap_lock){++++}-{3:3}, at: lock_vma+0xc5/0x260 mm/userfaultfd.c:73

but task is already holding lock:
ffff88802b989730 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma+0x1a1/0x260 mm/userfaultfd.c:87

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&vma->vm_lock->lock){++++}-{3:3}:
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       down_write+0x3a/0x50 kernel/locking/rwsem.c:1579
       vma_start_write include/linux/mm.h:716 [inline]
       vma_link+0x2c6/0x550 mm/mmap.c:416
       insert_vm_struct+0x1a3/0x260 mm/mmap.c:3331
       __bprm_mm_init fs/exec.c:282 [inline]
       bprm_mm_init fs/exec.c:384 [inline]
       alloc_bprm+0x543/0xa00 fs/exec.c:1579
       kernel_execve+0x99/0xa10 fs/exec.c:2008
       try_to_run_init_process init/main.c:1361 [inline]
       kernel_init+0xe8/0x2b0 init/main.c:1488
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:242

-> #0 (&mm->mmap_lock){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       down_read+0xb1/0xa40 kernel/locking/rwsem.c:1526
       mmap_read_lock include/linux/mmap_lock.h:146 [inline]
       lock_vma+0xc5/0x260 mm/userfaultfd.c:73
       find_and_lock_vmas mm/userfaultfd.c:1405 [inline]
       move_pages+0x18c/0xff0 mm/userfaultfd.c:1546
       userfaultfd_move fs/userfaultfd.c:2008 [inline]
       userfaultfd_ioctl+0x5c10/0x72c0 fs/userfaultfd.c:2126
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:871 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:857
       do_syscall_64+0xfb/0x240
       entry_SYSCALL_64_after_hwframe+0x6d/0x75

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(&vma->vm_lock->lock);
                               lock(&mm->mmap_lock);
                               lock(&vma->vm_lock->lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

1 lock held by syz-executor800/5064:
 #0: ffff88802b989730 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma+0x1a1/0x260 mm/userfaultfd.c:87

stack backtrace:
CPU: 1 PID: 5064 Comm: syz-executor800 Not tainted 6.8.0-rc4-next-20240212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
 down_read+0xb1/0xa40 kernel/locking/rwsem.c:1526
 mmap_read_lock include/linux/mmap_lock.h:146 [inline]
 lock_vma+0xc5/0x260 mm/userfaultfd.c:73
 find_and_lock_vmas mm/userfaultfd.c:1405 [inline]
 move_pages+0x18c/0xff0 mm/userfaultfd.c:1546
 userfaultfd_move fs/userfaultfd.c:2008 [inline]
 userfaultfd_ioctl+0x5c10/0x72c0 fs/userfaultfd.c:2126
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:857
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f86fc35f329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd53428e38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd53429008 RCX: 00007f86fc35f329
RDX: 0000000020000040 RSI: 00000000c028aa05 RDI: 


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

                 reply	other threads:[~2024-02-16  6:07 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000fc6b2c0611798e90@google.com \
    --to=syzbot+27f783f9d240834c9d44@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=axelrasmussen@google.com \
    --cc=brauner@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=lokeshgidra@google.com \
    --cc=mirq-linux@rere.qmqm.pl \
    --cc=peterx@redhat.com \
    --cc=rppt@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.