From: syzbot <syzbot+ae82084b07d0297e566b@syzkaller.appspotmail.com>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: possible deadlock in mnt_want_write
Date: Wed, 21 Nov 2018 08:14:04 -0800 [thread overview]
Message-ID: <000000000000f85223057b2f0994@google.com> (raw)
In-Reply-To: <000000000000d03eea0571adfe83@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: c8ce94b8fe53 Merge tag 'mips_fixes_4.20_3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a16ed5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
dashboard link: https://syzkaller.appspot.com/bug?extid=ae82084b07d0297e566b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d8ac5d400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae82084b07d0297e566b@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
======================================================
WARNING: possible circular locking dependency detected
4.20.0-rc3+ #122 Not tainted
------------------------------------------------------
syz-executor0/6225 is trying to acquire lock:
000000001881f73a (sb_writers#3){.+.+}, at: sb_start_write
include/linux/fs.h:1597 [inline]
000000001881f73a (sb_writers#3){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
but task is already holding lock:
00000000c37872d6 (&iint->mutex){+.+.}, at: process_measurement+0x438/0x1bf0
security/integrity/ima/ima_main.c:224
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&iint->mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
process_measurement+0x438/0x1bf0
security/integrity/ima/ima_main.c:224
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134a/0x5150 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (sb_writers#3){.+.+}:
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36
[inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x214/0x370 fs/super.c:1387
sb_start_write include/linux/fs.h:1597 [inline]
mnt_want_write+0x3f/0xc0 fs/namespace.c:360
ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24
ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888
ovl_open+0xb3/0x260 fs/overlayfs/file.c:123
do_dentry_open+0x499/0x1250 fs/open.c:771
vfs_open fs/open.c:880 [inline]
dentry_open+0x143/0x1d0 fs/open.c:896
ima_calc_file_hash+0x324/0x570
security/integrity/ima/ima_crypto.c:427
ima_collect_measurement+0x619/0x730
security/integrity/ima/ima_api.c:232
process_measurement+0x11fd/0x1bf0
security/integrity/ima/ima_main.c:284
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134a/0x5150 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&iint->mutex);
lock(sb_writers#3);
lock(&iint->mutex);
lock(sb_writers#3);
*** DEADLOCK ***
1 lock held by syz-executor0/6225:
#0: 00000000c37872d6 (&iint->mutex){+.+.}, at:
process_measurement+0x438/0x1bf0 security/integrity/ima/ima_main.c:224
stack backtrace:
CPU: 0 PID: 6225 Comm: syz-executor0 Not tainted 4.20.0-rc3+ #122
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_circular_bug.isra.35.cold.54+0x1bd/0x27d
kernel/locking/lockdep.c:1221
check_prev_add kernel/locking/lockdep.c:1863 [inline]
check_prevs_add kernel/locking/lockdep.c:1976 [inline]
validate_chain kernel/locking/lockdep.c:2347 [inline]
__lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x214/0x370 fs/super.c:1387
sb_start_write include/linux/fs.h:1597 [inline]
mnt_want_write+0x3f/0xc0 fs/namespace.c:360
ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24
ovl_open_maybe_copy_up+0x12c/0x190 fs/overlayfs/copy_up.c:888
ovl_open+0xb3/0x260 fs/overlayfs/file.c:123
do_dentry_open+0x499/0x1250 fs/open.c:771
vfs_open fs/open.c:880 [inline]
dentry_open+0x143/0x1d0 fs/open.c:896
ima_calc_file_hash+0x324/0x570 security/integrity/ima/ima_crypto.c:427
ima_collect_measurement+0x619/0x730 security/integrity/ima/ima_api.c:232
process_measurement+0x11fd/0x1bf0 security/integrity/ima/ima_main.c:284
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134a/0x5150 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd93abed08 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569
RDX: 0000000000000040 RSI: 0000000000000003 RDI: 0000000020000780
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
next prev parent reply other threads:[~2018-11-21 16:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-23 17:30 possible deadlock in mnt_want_write syzbot
2018-11-21 16:14 ` syzbot [this message]
2018-11-21 16:24 ` syzbot
2018-11-21 18:57 ` Amir Goldstein
2018-11-21 20:04 ` Goldwyn Rodrigues
2018-11-21 20:22 ` Amir Goldstein
2019-11-23 2:27 ` syzbot
2020-11-07 12:10 ` syzbot
2020-11-11 13:52 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000f85223057b2f0994@google.com \
--to=syzbot+ae82084b07d0297e566b@syzkaller.appspotmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.