From: syzbot <syzbot+8ff80a43de91ba2d80fc@syzkaller.appspotmail.com>
To: clm@fb.com, dsterba@suse.com, josef@toxicpanda.com,
linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [btrfs?] possible deadlock in btrfs_page_mkwrite
Date: Wed, 03 Dec 2025 00:21:24 -0800 [thread overview]
Message-ID: <692ff304.a70a0220.d98e3.01b4.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 05c93f3395ed Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=16cfa112580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3b5338ad1e59a06c
dashboard link: https://syzkaller.appspot.com/bug?extid=8ff80a43de91ba2d80fc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b5c913e373c/disk-05c93f33.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15e75f1266ef/vmlinux-05c93f33.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dd930129c578/Image-05c93f33.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8ff80a43de91ba2d80fc@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.1.810/10993 is trying to acquire lock:
ffff0000f98b59b8 (&ei->i_mmap_lock){++++}-{4:4}, at: btrfs_page_mkwrite+0x5a4/0x1714 fs/btrfs/file.c:1919
but task is already holding lock:
ffff0000cadb8518 (sb_pagefaults#7){.+.+}-{0:0}, at: do_page_mkwrite+0x138/0x2b8 mm/memory.c:3489
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #6 (sb_pagefaults#7){.+.+}-{0:0}:
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
__sb_start_write include/linux/fs.h:1916 [inline]
sb_start_pagefault include/linux/fs.h:2081 [inline]
btrfs_page_mkwrite+0x284/0x1714 fs/btrfs/file.c:1874
do_page_mkwrite+0x138/0x2b8 mm/memory.c:3489
do_shared_fault mm/memory.c:5792 [inline]
do_fault mm/memory.c:5854 [inline]
do_pte_missing mm/memory.c:4362 [inline]
handle_pte_fault mm/memory.c:6234 [inline]
__handle_mm_fault+0x178c/0x4798 mm/memory.c:6366
handle_mm_fault+0x274/0x7fc mm/memory.c:6535
do_page_fault+0x57c/0x13cc arch/arm64/mm/fault.c:700
do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:793
do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:933
el0_da+0x64/0x230 arch/arm64/kernel/entry-common.c:540
el0t_64_sync_handler+0x90/0x12c arch/arm64/kernel/entry-common.c:746
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #5 (&mm->mmap_lock){++++}-{4:4}:
down_read_killable+0x60/0x32c kernel/locking/rwsem.c:1560
mmap_read_lock_killable+0x28/0x8c include/linux/mmap_lock.h:377
get_mmap_lock_carefully mm/mmap_lock.c:377 [inline]
lock_mm_and_find_vma+0x2a4/0x2d8 mm/mmap_lock.c:428
do_page_fault+0x50c/0x13cc arch/arm64/mm/fault.c:678
do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:793
do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:933
el1_abort+0x40/0x64 arch/arm64/kernel/entry-common.c:303
el1h_64_sync_handler+0x50/0xfc arch/arm64/kernel/entry-common.c:437
el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
__uaccess_mask_ptr arch/arm64/include/asm/uaccess.h:169 [inline]
filldir64+0x314/0x6bc fs/readdir.c:381
dir_emit include/linux/fs.h:3988 [inline]
kernfs_fop_readdir+0x498/0x79c fs/kernfs/dir.c:1910
iterate_dir+0x2dc/0x478 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64 fs/readdir.c:396 [inline]
__arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #4 (&root->kernfs_rwsem){++++}-{4:4}:
down_write+0x50/0xc0 kernel/locking/rwsem.c:1590
kernfs_add_one+0x48/0x60c fs/kernfs/dir.c:791
kernfs_create_dir_ns+0xd4/0x12c fs/kernfs/dir.c:1093
sysfs_create_dir_ns+0x114/0x24c fs/sysfs/dir.c:59
create_dir lib/kobject.c:73 [inline]
kobject_add_internal+0x5a8/0xb20 lib/kobject.c:240
kobject_add_varg lib/kobject.c:374 [inline]
kobject_init_and_add+0x118/0x17c lib/kobject.c:457
btrfs_sysfs_add_qgroups+0x110/0x268 fs/btrfs/sysfs.c:2645
btrfs_quota_enable+0x210/0x2438 fs/btrfs/qgroup.c:1022
btrfs_ioctl_quota_ctl+0x178/0x1bc fs/btrfs/ioctl.c:3667
btrfs_ioctl+0x86c/0xc3c fs/btrfs/ioctl.c:5333
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #3 (&fs_info->qgroup_ioctl_lock){+.+.}-{4:4}:
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
btrfs_quota_enable+0x24c/0x2438 fs/btrfs/qgroup.c:1051
btrfs_ioctl_quota_ctl+0x178/0x1bc fs/btrfs/ioctl.c:3667
btrfs_ioctl+0x86c/0xc3c fs/btrfs/ioctl.c:5333
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #2 (btrfs_trans_num_extwriters){++++}-{0:0}:
join_transaction+0x190/0xb5c fs/btrfs/transaction.c:321
start_transaction+0x778/0x155c fs/btrfs/transaction.c:705
btrfs_start_transaction+0x34/0x44 fs/btrfs/transaction.c:816
btrfs_rebuild_free_space_tree+0xac/0x6c0 fs/btrfs/free-space-tree.c:1340
btrfs_start_pre_rw_mount+0xed8/0x1728 fs/btrfs/disk-io.c:3062
open_ctree+0x24cc/0x358c fs/btrfs/disk-io.c:3619
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0xd94/0x15dc fs/btrfs/super.c:2128
vfs_get_tree+0x90/0x28c fs/super.c:1758
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3642 [inline]
do_new_mount+0x284/0x944 fs/namespace.c:3718
path_mount+0x5b4/0xdfc fs/namespace.c:4028
do_mount fs/namespace.c:4041 [inline]
__do_sys_mount fs/namespace.c:4229 [inline]
__se_sys_mount fs/namespace.c:4206 [inline]
__arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4206
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #1 (btrfs_trans_num_writers){++++}-{0:0}:
__lock_release kernel/locking/lockdep.c:5574 [inline]
lock_release+0x198/0x39c kernel/locking/lockdep.c:5889
percpu_up_read include/linux/percpu-rwsem.h:112 [inline]
__sb_end_write include/linux/fs.h:1911 [inline]
sb_end_intwrite+0x3c/0x348 include/linux/fs.h:2028
__btrfs_end_transaction+0x1f4/0x5f4 fs/btrfs/transaction.c:1076
btrfs_end_transaction+0x24/0x34 fs/btrfs/transaction.c:1110
__btrfs_prealloc_file_range+0x77c/0xb28 fs/btrfs/inode.c:9145
btrfs_prealloc_file_range+0x60/0x7c fs/btrfs/inode.c:9159
btrfs_zero_range+0x928/0xb7c fs/btrfs/file.c:3070
btrfs_fallocate+0x8ec/0x1734 fs/btrfs/file.c:3181
vfs_fallocate+0x52c/0x668 fs/open.c:342
ksys_fallocate fs/open.c:366 [inline]
__do_sys_fallocate fs/open.c:371 [inline]
__se_sys_fallocate fs/open.c:369 [inline]
__arm64_sys_fallocate+0xbc/0x10c fs/open.c:369
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
-> #0 (&ei->i_mmap_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
down_read+0x58/0x2f8 kernel/locking/rwsem.c:1537
btrfs_page_mkwrite+0x5a4/0x1714 fs/btrfs/file.c:1919
do_page_mkwrite+0x138/0x2b8 mm/memory.c:3489
do_shared_fault mm/memory.c:5792 [inline]
do_fault mm/memory.c:5854 [inline]
do_pte_missing mm/memory.c:4362 [inline]
handle_pte_fault mm/memory.c:6234 [inline]
__handle_mm_fault+0x178c/0x4798 mm/memory.c:6366
handle_mm_fault+0x274/0x7fc mm/memory.c:6535
do_page_fault+0x57c/0x13cc arch/arm64/mm/fault.c:700
do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:793
do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:933
el0_da+0x64/0x230 arch/arm64/kernel/entry-common.c:540
el0t_64_sync_handler+0x90/0x12c arch/arm64/kernel/entry-common.c:746
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
other info that might help us debug this:
Chain exists of:
&ei->i_mmap_lock --> &mm->mmap_lock --> sb_pagefaults#7
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_pagefaults#7);
lock(&mm->mmap_lock);
lock(sb_pagefaults#7);
rlock(&ei->i_mmap_lock);
*** DEADLOCK ***
2 locks held by syz.1.810/10993:
#0: ffff0000cf866790 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_trylock include/linux/mmap_lock.h:387 [inline]
#0: ffff0000cf866790 (&mm->mmap_lock){++++}-{4:4}, at: get_mmap_lock_carefully mm/mmap_lock.c:368 [inline]
#0: ffff0000cf866790 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x38/0x2d8 mm/mmap_lock.c:428
#1: ffff0000cadb8518 (sb_pagefaults#7){.+.+}-{0:0}, at: do_page_mkwrite+0x138/0x2b8 mm/memory.c:3489
stack backtrace:
CPU: 0 UID: 0 PID: 10993 Comm: syz.1.810 Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x324/0x32c kernel/locking/lockdep.c:2043
check_noncircular+0x154/0x174 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
down_read+0x58/0x2f8 kernel/locking/rwsem.c:1537
btrfs_page_mkwrite+0x5a4/0x1714 fs/btrfs/file.c:1919
do_page_mkwrite+0x138/0x2b8 mm/memory.c:3489
do_shared_fault mm/memory.c:5792 [inline]
do_fault mm/memory.c:5854 [inline]
do_pte_missing mm/memory.c:4362 [inline]
handle_pte_fault mm/memory.c:6234 [inline]
__handle_mm_fault+0x178c/0x4798 mm/memory.c:6366
handle_mm_fault+0x274/0x7fc mm/memory.c:6535
do_page_fault+0x57c/0x13cc arch/arm64/mm/fault.c:700
do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:793
do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:933
el0_da+0x64/0x230 arch/arm64/kernel/entry-common.c:540
el0t_64_sync_handler+0x90/0x12c arch/arm64/kernel/entry-common.c:746
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2025-12-03 8:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=692ff304.a70a0220.d98e3.01b4.GAE@google.com \
--to=syzbot+8ff80a43de91ba2d80fc@syzkaller.appspotmail.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.