From: syzbot <syzbot+cb1fdea540b46f0ce394@syzkaller.appspotmail.com>
To: anton@tuxera.com, linux-kernel@vger.kernel.org,
linux-ntfs-dev@lists.sourceforge.net,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ntfs?] possible deadlock in map_mft_record
Date: Fri, 30 Dec 2022 04:29:41 -0800 [thread overview]
Message-ID: <0000000000007ac19005f10ac1aa@google.com> (raw)
In-Reply-To: <0000000000002a6cba05eb5c7fbd@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 2258c2dc850b Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1285d048480000
kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=cb1fdea540b46f0ce394
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d788b8480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15347b32480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aee4b2292a64/disk-2258c2dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9ecfc816182c/vmlinux-2258c2dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f24ffaf1255a/bzImage-2258c2dc.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0f6a807498b6/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cb1fdea540b46f0ce394@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc1-syzkaller-00043-g2258c2dc850b #0 Not tainted
------------------------------------------------------
syz-executor154/5075 is trying to acquire lock:
ffff888073152ad0 (&lcnbmp_mrec_lock_key){+.+.}-{3:3}, at: map_mft_record+0x46/0x610 fs/ntfs/mft.c:154
but task is already holding lock:
ffff88802ac261f8 (&vol->lcnbmp_lock){+.+.}-{3:3}, at: ntfs_put_super+0x36b/0xf80 fs/ntfs/super.c:2282
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&vol->lcnbmp_lock){+.+.}-{3:3}:
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
down_write+0x9c/0x270 kernel/locking/rwsem.c:1562
__ntfs_cluster_free+0xd4/0x890 fs/ntfs/lcnalloc.c:862
ntfs_cluster_free fs/ntfs/lcnalloc.h:96 [inline]
ntfs_truncate+0x119c/0x2720 fs/ntfs/inode.c:2695
ntfs_truncate_vfs fs/ntfs/inode.c:2862 [inline]
ntfs_setattr+0x2b9/0x3a0 fs/ntfs/inode.c:2914
notify_change+0xe50/0x1100 fs/attr.c:482
do_truncate+0x200/0x2f0 fs/open.c:65
handle_truncate fs/namei.c:3216 [inline]
do_open fs/namei.c:3561 [inline]
path_openat+0x272b/0x2dd0 fs/namei.c:3714
do_file_open_root+0x339/0x790 fs/namei.c:3766
file_open_root+0x234/0x290 fs/open.c:1290
do_handle_open+0x565/0x950 fs/fhandle.c:232
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 (&lcnbmp_mrec_lock_key){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3097 [inline]
check_prevs_add kernel/locking/lockdep.c:3216 [inline]
validate_chain+0x1898/0x6ae0 kernel/locking/lockdep.c:3831
__lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__mutex_lock_common+0x1bd/0x26e0 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
map_mft_record+0x46/0x610 fs/ntfs/mft.c:154
__ntfs_write_inode+0x80/0xc90 fs/ntfs/inode.c:2978
ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
ntfs_put_super+0x3ba/0xf80 fs/ntfs/super.c:2283
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x644/0x2150 kernel/exit.c:867
do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&vol->lcnbmp_lock);
lock(&lcnbmp_mrec_lock_key);
lock(&vol->lcnbmp_lock);
lock(&lcnbmp_mrec_lock_key);
*** DEADLOCK ***
2 locks held by syz-executor154/5075:
#0: ffff88807a03e0e0 (&type->s_umount_key#46){+.+.}-{3:3}, at: deactivate_super+0x96/0xd0 fs/super.c:362
#1: ffff88802ac261f8 (&vol->lcnbmp_lock){+.+.}-{3:3}, at: ntfs_put_super+0x36b/0xf80 fs/ntfs/super.c:2282
stack backtrace:
CPU: 1 PID: 5075 Comm: syz-executor154 Not tainted 6.2.0-rc1-syzkaller-00043-g2258c2dc850b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2177
check_prev_add kernel/locking/lockdep.c:3097 [inline]
check_prevs_add kernel/locking/lockdep.c:3216 [inline]
validate_chain+0x1898/0x6ae0 kernel/locking/lockdep.c:3831
__lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__mutex_lock_common+0x1bd/0x26e0 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
map_mft_record+0x46/0x610 fs/ntfs/mft.c:154
__ntfs_write_inode+0x80/0xc90 fs/ntfs/inode.c:2978
ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
ntfs_put_super+0x3ba/0xf80 fs/ntfs/super.c:2283
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x644/0x2150 kernel/exit.c:867
do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1316ebea09
Code: Unable to access opcode bytes at 0x7f1316ebe9df.
RSP: 002b:00007ffe53bdb118 EFLAGS: 0000
next prev parent reply other threads:[~2022-12-30 12:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-19 5:29 [syzbot] possible deadlock in map_mft_record syzbot
2022-12-30 12:29 ` syzbot [this message]
2024-03-10 2:05 ` [syzbot] [ntfs3?] " syzbot
2024-03-11 16:29 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000007ac19005f10ac1aa@google.com \
--to=syzbot+cb1fdea540b46f0ce394@syzkaller.appspotmail.com \
--cc=anton@tuxera.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ntfs-dev@lists.sourceforge.net \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox