From: syzbot <syzbot+1fed2de07d8e11a3ec1b@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ocfs2?] possible deadlock in ocfs2_try_remove_refcount_tree
Date: Sat, 19 Jul 2025 11:22:02 -0700 [thread overview]
Message-ID: <687be24a.a70a0220.693ce.0092.GAE@google.com> (raw)
In-Reply-To: <690ae6be-8313-46eb-a546-b895f5a7227c@I-love.SAKURA.ne.jp>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in ocfs2_truncate_file
option from the mount to silence this warning.
=======================================================
ocfs2: Mounting device (7,0) on (node local, slot 0) with writeback data mode.
======================================================
WARNING: possible circular locking dependency detected
6.16.0-rc6-syzkaller-00253-g4871b7cb27f4-dirty #0 Not tainted
------------------------------------------------------
syz.0.16/6592 is trying to acquire lock:
ffff88807a9fc618 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_orphan_for_truncate fs/ocfs2/file.c:396 [inline]
ffff88807a9fc618 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_truncate_file+0x648/0x1410 fs/ocfs2/file.c:500
but task is already holding lock:
ffff88807da38660 (&oi->ip_alloc_sem){++++}-{4:4}, at: ocfs2_down_write fs/ocfs2/inode.h:74 [inline]
ffff88807da38660 (&oi->ip_alloc_sem){++++}-{4:4}, at: ocfs2_truncate_file+0x36a/0x1410 fs/ocfs2/file.c:471
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (&oi->ip_alloc_sem){++++}-{4:4}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
ocfs2_down_write fs/ocfs2/inode.h:74 [inline]
ocfs2_xattr_set_handle+0x3af/0x7a0 fs/ocfs2/xattr.c:3503
ocfs2_init_security_set+0xbd/0xe0 fs/ocfs2/xattr.c:7309
ocfs2_mknod+0x137f/0x2050 fs/ocfs2/namei.c:419
ocfs2_create+0x1a5/0x440 fs/ocfs2/namei.c:673
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #3 (&oi->ip_xattr_sem){++++}-{4:4}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
ocfs2_down_write fs/ocfs2/inode.h:73 [inline]
ocfs2_xattr_set_handle+0x3a0/0x7a0 fs/ocfs2/xattr.c:3503
ocfs2_init_security_set+0xbd/0xe0 fs/ocfs2/xattr.c:7309
ocfs2_mknod+0x137f/0x2050 fs/ocfs2/namei.c:419
ocfs2_create+0x1a5/0x440 fs/ocfs2/namei.c:673
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (jbd2_handle){++++}-{0:0}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
start_this_handle+0x1fa7/0x21c0 fs/jbd2/transaction.c:444
jbd2__journal_start+0x2c1/0x5b0 fs/jbd2/transaction.c:501
jbd2_journal_start+0x2a/0x40 fs/jbd2/transaction.c:540
ocfs2_start_trans+0x376/0x6d0 fs/ocfs2/journal.c:374
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:685 [inline]
ocfs2_reserve_suballoc_bits+0x711/0x4640 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_mknod+0xe08/0x2050 fs/ocfs2/namei.c:347
ocfs2_create+0x1a5/0x440 fs/ocfs2/namei.c:673
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&journal->j_trans_barrier){.+.+}-{4:4}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1524
ocfs2_start_trans+0x36a/0x6d0 fs/ocfs2/journal.c:372
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:685 [inline]
ocfs2_reserve_suballoc_bits+0x711/0x4640 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_mknod+0xe08/0x2050 fs/ocfs2/namei.c:347
ocfs2_create+0x1a5/0x440 fs/ocfs2/namei.c:673
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (sb_internal#2){.+.+}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3168 [inline]
check_prevs_add kernel/locking/lockdep.c:3287 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3911
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5240
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
__sb_start_write include/linux/fs.h:1795 [inline]
sb_start_intwrite include/linux/fs.h:1978 [inline]
ocfs2_start_trans+0x26b/0x6d0 fs/ocfs2/journal.c:370
ocfs2_orphan_for_truncate fs/ocfs2/file.c:396 [inline]
ocfs2_truncate_file+0x648/0x1410 fs/ocfs2/file.c:500
ocfs2_setattr+0x1571/0x1b60 fs/ocfs2/file.c:1212
notify_change+0xb36/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
handle_truncate fs/namei.c:3517 [inline]
do_open fs/namei.c:3900 [inline]
path_openat+0x306c/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
sb_internal#2 --> &oi->ip_xattr_sem --> &oi->ip_alloc_sem
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&oi->ip_alloc_sem);
lock(&oi->ip_xattr_sem);
lock(&oi->ip_alloc_sem);
rlock(sb_internal#2);
*** DEADLOCK ***
4 locks held by syz.0.16/6592:
#0: ffff88807a9fc428 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:557
#1: ffff88807da389c0 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: inode_lock_killable include/linux/fs.h:874 [inline]
#1: ffff88807da389c0 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: do_truncate+0x171/0x220 fs/open.c:63
#2: ffff88807da386f8 (&oi->ip_xattr_sem){++++}-{4:4}, at: ocfs2_down_write fs/ocfs2/inode.h:73 [inline]
#2: ffff88807da386f8 (&oi->ip_xattr_sem){++++}-{4:4}, at: ocfs2_truncate_file+0x359/0x1410 fs/ocfs2/file.c:471
#3: ffff88807da38660 (&oi->ip_alloc_sem){++++}-{4:4}, at: ocfs2_down_write fs/ocfs2/inode.h:74 [inline]
#3: ffff88807da38660 (&oi->ip_alloc_sem){++++}-{4:4}, at: ocfs2_truncate_file+0x36a/0x1410 fs/ocfs2/file.c:471
stack backtrace:
CPU: 1 UID: 0 PID: 6592 Comm: syz.0.16 Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2046
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2178
check_prev_add kernel/locking/lockdep.c:3168 [inline]
check_prevs_add kernel/locking/lockdep.c:3287 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3911
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5240
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
__sb_start_write include/linux/fs.h:1795 [inline]
sb_start_intwrite include/linux/fs.h:1978 [inline]
ocfs2_start_trans+0x26b/0x6d0 fs/ocfs2/journal.c:370
ocfs2_orphan_for_truncate fs/ocfs2/file.c:396 [inline]
ocfs2_truncate_file+0x648/0x1410 fs/ocfs2/file.c:500
ocfs2_setattr+0x1571/0x1b60 fs/ocfs2/file.c:1212
notify_change+0xb36/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
handle_truncate fs/namei.c:3517 [inline]
do_open fs/namei.c:3900 [inline]
path_openat+0x306c/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_open fs/open.c:1460 [inline]
__se_sys_open fs/open.c:1456 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1456
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa61778e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa61868b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fa6179b5fa0 RCX: 00007fa61778e929
RDX: 0000000000000020 RSI: 000000000014927e RDI: 00002000000001c0
RBP: 00007fa617810b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa6179b5fa0 R15: 00007fffb0c2bbe8
</TASK>
Tested on:
commit: 4871b7cb Merge tag 'v6.16-rc6-smb3-client-fixes' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1474c38c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=1fed2de07d8e11a3ec1b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1510c38c580000
next parent reply other threads:[~2025-07-19 18:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <690ae6be-8313-46eb-a546-b895f5a7227c@I-love.SAKURA.ne.jp>
2025-07-19 18:22 ` syzbot [this message]
[not found] <20240821210432.146003-1-djahchankoike@gmail.com>
2024-08-21 21:20 ` [syzbot] [ocfs2?] possible deadlock in ocfs2_try_remove_refcount_tree syzbot
2024-08-19 8:48 syzbot
2024-08-21 9:32 ` Edward Adam Davis
2024-08-21 9:48 ` syzbot
2024-09-23 22:04 ` syzbot
2025-06-21 14:27 ` Tetsuo Handa
2025-06-21 15:05 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=687be24a.a70a0220.693ce.0092.GAE@google.com \
--to=syzbot+1fed2de07d8e11a3ec1b@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.