From: syzbot <syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, linux-unionfs@vger.kernel.org,
miklos@szeredi.hu, syzkaller-bugs@googlegroups.com
Subject: possible deadlock in ovl_maybe_copy_up
Date: Mon, 23 Nov 2020 02:05:17 -0800 [thread overview]
Message-ID: <000000000000c5b77105b4c3546e@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: a349e4c6 Merge tag 'xfs-5.10-fixes-7' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11813299500000
kernel config: https://syzkaller.appspot.com/x/.config?x=a521022462477aea
dashboard link: https://syzkaller.appspot.com/bug?extid=c18f2f6a7b08c51e3025
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.10.0-rc4-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/12280 is trying to acquire lock:
ffff8881480c8460 (sb_writers#4){.+.+}-{0:0}, at: ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
but task is already holding lock:
ffff888011c1a740 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&iint->mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x134/0x10e0 kernel/locking/mutex.c:1103
process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_openat fs/open.c:1200 [inline]
__se_sys_openat fs/open.c:1195 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1195
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
-> #0 (sb_writers#4){.+.+}-{0:0}:
check_prev_add kernel/locking/lockdep.c:2866 [inline]
check_prevs_add kernel/locking/lockdep.c:2991 [inline]
validate_chain kernel/locking/lockdep.c:3606 [inline]
__lock_acquire+0x2ca6/0x5c00 kernel/locking/lockdep.c:4830
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1594 [inline]
sb_start_write include/linux/fs.h:1664 [inline]
mnt_want_write+0x69/0x3d0 fs/namespace.c:354
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
ovl_open+0xba/0x270 fs/overlayfs/file.c:154
do_dentry_open+0x4b9/0x11b0 fs/open.c:817
vfs_open fs/open.c:931 [inline]
dentry_open+0x132/0x1d0 fs/open.c:947
ima_calc_file_hash+0x32b/0x5a0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:250
process_measurement+0xca6/0x1760 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_open fs/open.c:1192 [inline]
__se_sys_open fs/open.c:1188 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1188
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&iint->mutex);
lock(sb_writers#4);
lock(&iint->mutex);
lock(sb_writers#4);
*** DEADLOCK ***
1 lock held by syz-executor.4/12280:
#0: ffff888011c1a740 (&iint->mutex){+.+.}-{3:3}, at: process_measurement+0x363/0x1760 security/integrity/ima/ima_main.c:253
stack backtrace:
CPU: 0 PID: 12280 Comm: syz-executor.4 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2115
check_prev_add kernel/locking/lockdep.c:2866 [inline]
check_prevs_add kernel/locking/lockdep.c:2991 [inline]
validate_chain kernel/locking/lockdep.c:3606 [inline]
__lock_acquire+0x2ca6/0x5c00 kernel/locking/lockdep.c:4830
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1594 [inline]
sb_start_write include/linux/fs.h:1664 [inline]
mnt_want_write+0x69/0x3d0 fs/namespace.c:354
ovl_maybe_copy_up+0x11f/0x190 fs/overlayfs/copy_up.c:990
ovl_open+0xba/0x270 fs/overlayfs/file.c:154
do_dentry_open+0x4b9/0x11b0 fs/open.c:817
vfs_open fs/open.c:931 [inline]
dentry_open+0x132/0x1d0 fs/open.c:947
ima_calc_file_hash+0x32b/0x5a0 security/integrity/ima/ima_crypto.c:557
ima_collect_measurement+0x4ca/0x570 security/integrity/ima/ima_api.c:250
process_measurement+0xca6/0x1760 security/integrity/ima/ima_main.c:330
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:498
do_open fs/namei.c:3254 [inline]
path_openat+0x154d/0x2730 fs/namei.c:3369
do_filp_open+0x17e/0x3c0 fs/namei.c:3396
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_open fs/open.c:1192 [inline]
__se_sys_open fs/open.c:1188 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1188
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fccb9104c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00000000000221c0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000020000040
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffc3967e2bf R14: 00007fccb91059c0 R15: 000000000118bf2c
overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2020-11-23 10:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-23 10:05 syzbot [this message]
2021-04-03 19:18 ` [syzbot] possible deadlock in ovl_maybe_copy_up syzbot
2021-04-04 8:10 ` Amir Goldstein
[not found] ` <20210618040135.950-1-hdanton@sina.com>
2021-06-22 2:32 ` Mimi Zohar
2021-06-22 4:51 ` Amir Goldstein
2021-06-22 11:40 ` Mimi Zohar
[not found] ` <20210622065340.1322-1-hdanton@sina.com>
2021-06-22 8:53 ` Amir Goldstein
2023-06-06 9:30 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000c5b77105b4c3546e@google.com \
--to=syzbot+c18f2f6a7b08c51e3025@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.