possible deadlock in blktrans_open

Hao Sun sunhao.th at gmail.com
Fri Sep 3 00:50:57 PDT 2021 

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 9e9fb7655ed58 Merge tag 'net-next-5.15'
git tree: upstream
console output:
https://drive.google.com/file/d/1Se_X6iW4GNQ5vqD4k_Bb_Sf8TqCx8eTz/view?usp=sharing
kernel config: https://drive.google.com/file/d/1zgxbwaYkrM26KEmJ-5sUZX57gfXtRrwA/view?usp=sharing
C reproducer:  https://drive.google.com/file/d/1BtlOcxuP74hrKEkaEx4RpOXYcsQq0N7q/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1Lb42gOp9KGtdcfLbsPUJjALcS8Vj5KlM/view?usp=sharing

If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th at gmail.com>

Simplified report:
======================================================
WARNING: possible circular locking dependency detected
5.14.0+ #12 Not tainted
------------------------------------------------------
systemd-udevd/6440 is trying to acquire lock:
ffffffff85ca4b68 (mtd_table_mutex){+.+.}-{3:3}, at:
blktrans_open+0x4b/0x260 drivers/mtd/mtd_blkdevs.c:210

Full Log:

[   19.853374][ T6440] ======================================================
[   19.854238][ T6440] WARNING: possible circular locking dependency detected
[   19.855232][ T6440] 5.14.0+ #12 Not tainted
[   19.855765][ T6440] ------------------------------------------------------
[   19.856628][ T6440] systemd-udevd/6440 is trying to acquire lock:
[   19.857463][ T6440] ffffffff85ca4b68 (mtd_table_mutex){+.+.}-{3:3},
at: blktrans_open+0x4b/0x260
[   19.858586][ T6440]
[   19.858586][ T6440] but task is already holding lock:
[   19.859525][ T6440] ffff88800e29c118
(&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0xe0/0x370
[   19.860768][ T6440]
[   19.860768][ T6440] which lock already depends on the new lock.
[   19.860768][ T6440]
[   19.862050][ T6440]
[   19.862050][ T6440] the existing dependency chain (in reverse order) is:
[   19.863208][ T6440]
[   19.863208][ T6440] -> #1 (&disk->open_mutex){+.+.}-{3:3}:
[   19.864226][ T6440]        __mutex_lock+0x98/0xa50
[   19.864841][ T6440]        bd_register_pending_holders+0x2c/0x140
[   19.865612][ T6440]        device_add_disk+0x2f5/0x4f0
[   19.866270][ T6440]        add_mtd_blktrans_dev+0x436/0x670
         Startin[   19.867011][ T6440]        mtdblock_add_mtd+0x73/0xa0
g Load/Save RF K[   19.867775][ T6440]        blktrans_notify_add+0x36/0x50
ill Switch Statu[   19.868519][ T6440]        add_mtd_device+0x3e1/0x670
s...[   19.869269][ T6440]        mtd_device_parse_register+0x26d/0x410
[   19.870131][ T6440]        mtdram_init_device+0xa9/0xd0

[   19.870881][ T6440]        init_mtdram+0xa9/0x104
[   19.871566][ T6440]        do_one_initcall+0x82/0x430
[   19.872289][ T6440]        kernel_init_freeable+0x370/0x3c3
[   19.873122][ T6440]        kernel_init+0x1b/0x180
[   19.873810][ T6440]        ret_from_fork+0x1f/0x30
[   19.874494][ T6440]
[   19.874494][ T6440] -> #0 (mtd_table_mutex){+.+.}-{3:3}:
[   19.875551][ T6440]        __lock_acquire+0x161f/0x1d60
[   19.876301][ T6440]        lock_acquire+0x1f9/0x340
[   19.876994][ T6440]        __mutex_lock+0x98/0xa50
[   19.877675][ T6440]        blktrans_open+0x4b/0x260
[   19.878365][ T6440]        blkdev_get_whole+0x36/0xd0
[   19.879081][ T6440]        blkdev_get_by_dev+0x173/0x370
[   19.879868][ T6440]        blkdev_open+0x95/0x100
[   19.880547][ T6440]        do_dentry_open+0x327/0x530
[   19.881265][ T6440]        path_openat+0xcf3/0xe20
[   19.881979][ T6440]        do_filp_open+0xe3/0x170
[   19.882673][ T6440]        do_sys_openat2+0x357/0x4a0
[   19.883348][ T6440]        do_sys_open+0x87/0xd0
[   19.883955][ T6440]        do_syscall_64+0x34/0xb0
[   19.884585][ T6440]        entry_SYSCALL_64_after_hwframe+0x44/0xae
[   19.885399][ T6440]
[   19.885399][ T6440] other info that might help us debug this:
[   19.885399][ T6440]
[   19.886711][ T6440]  Possible unsafe locking scenario:
[   19.886711][ T6440]
[   19.887661][ T6440]        CPU0                    CPU1
[   19.888324][ T6440]        ----                    ----
[   19.889006][ T6440]   lock(&disk->open_mutex);
[   19.889618][ T6440]                                lock(mtd_table_mutex);
[   19.890506][ T6440]                                lock(&disk->open_mutex);
[   19.891413][ T6440]   lock(mtd_table_mutex);
[   19.891987][ T6440]
[   19.891987][ T6440]  *** DEADLOCK ***
[   19.891987][ T6440]
[   19.893010][ T6440] 1 lock held by systemd-udevd/6440:
[   19.893687][ T6440]  #0: ffff88800e29c118
(&disk->open_mutex){+.+.}-{3:3}, at: blkdev_get_by_dev+0xe0/0x370
[   19.894902][ T6440]
[   19.894902][ T6440] stack backtrace:
[   19.895622][ T6440] CPU: 0 PID: 6440 Comm: systemd-udevd Not
tainted 5.14.0+ #12
[   19.896548][ T6440] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   19.898068][ T6440] Call Trace:
[   19.898474][ T6440]  dump_stack_lvl+0x8d/0xcf
[   19.899029][ T6440]  check_noncircular+0x105/0x120
[   19.899668][ T6440]  ? __lock_acquire+0x161f/0x1d60
[   19.900312][ T6440]  __lock_acquire+0x161f/0x1d60
[   19.901027][ T6440]  lock_acquire+0x1f9/0x340
[   19.901622][ T6440]  ? blktrans_open+0x4b/0x260
[   19.902201][ T6440]  __mutex_lock+0x98/0xa50
[   19.902850][ T6440]  ? blktrans_open+0x4b/0x260
[   19.903538][ T6440]  ? blktrans_dev_get.isra.10+0x63/0xa0
[   19.904345][ T6440]  ? blktrans_open+0x4b/0x260
[   19.905026][ T6440]  ? __mutex_unlock_slowpath+0x3c/0x280
[   19.905820][ T6440]  ? blktrans_release+0x120/0x120
[   19.906557][ T6440]  ? blktrans_open+0x4b/0x260
[   19.907248][ T6440]  blktrans_open+0x4b/0x260
[   19.907894][ T6440]  ? blktrans_release+0x120/0x120
[   19.908628][ T6440]  blkdev_get_whole+0x36/0xd0
[   19.909309][ T6440]  blkdev_get_by_dev+0x173/0x370
[   19.910031][ T6440]  ? blkdev_get_by_dev+0x370/0x370
[   19.910766][ T6440]  blkdev_open+0x95/0x100
[   19.911347][ T6440]  do_dentry_open+0x327/0x530
[   19.911956][ T6440]  ? may_open+0x104/0x1d0
[   19.912520][ T6440]  path_openat+0xcf3/0xe20
[   19.913152][ T6440]  do_filp_open+0xe3/0x170
[   19.913775][ T6440]  ? alloc_fd+0x1a1/0x290
[   19.914385][ T6440]  ? _find_next_bit+0x10a/0x130
[   19.915042][ T6440]  ? do_sys_openat2+0x357/0x4a0
[   19.915690][ T6440]  do_sys_openat2+0x357/0x4a0
[   19.916318][ T6440]  do_sys_open+0x87/0xd0
[   19.916886][ T6440]  do_syscall_64+0x34/0xb0
[   19.917481][ T6440]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   19.918263][ T6440] RIP: 0033:0x7f0db3d91840
[   19.918852][ T6440] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89
01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff
48 89 04 24
[   19.921462][ T6440] RSP: 002b:00007ffdba846478 EFLAGS: 00000246
ORIG_RAX: 0000000000000002
[   19.922620][ T6440] RAX: ffffffffffffffda RBX: 000055a6edb8f690
RCX: 00007f0db3d91840
[   19.923703][ T6440] RDX: 000055a6ebc31fe3 RSI: 00000000000a0800
RDI: 000055a6edb83070
[   19.924749][ T6440] RBP: 00007ffdba8465f0 R08: 000055a6ebc31670
R09: 0000000000000020
[   19.925794][ T6440] R10: 000055a6ebc31d0c R11: 0000000000000246
R12: 00007ffdba846540
[   19.926850][ T6440] R13: 000055a6edb86c20 R14: 0000000000000003
R15: 000000000000000e

More information about the linux-mtd mailing list