[syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    590b221ed425 Add linux-next specific files for 20250912
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1379b934580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=12a1d1f3a8199632
dashboard link: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=144aa762580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=117c8762580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63a963fc26db/disk-590b221e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c2013d30830/vmlinux-590b221e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7ee4d3a8e8f6/bzImage-590b221e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0f2061b3352a/mount_0.gz

The issue was bisected to:

commit 4e8011ffec79717e5fdac43a7e79faf811a384b7
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Tue Sep 2 10:43:24 2025 +0000

    ntfs3: pretend $Extend records as regular files

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10d9947c580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=12d9947c580000
console output: https://syzkaller.appspot.com/x/log.txt?x=14d9947c580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Fixes: 4e8011ffec79 ("ntfs3: pretend $Extend records as regular files")

loop0: detected capacity change from 0 to 4096
ntfs3(loop0): Different NTFS sector size (4096) and media sector size (512).
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 6038 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
 register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
 __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
 ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
 notify_change+0xc1a/0xf40 fs/attr.c:546
 do_truncate+0x1a4/0x220 fs/open.c:68
 vfs_truncate+0x493/0x520 fs/open.c:118
 do_sys_truncate+0xdb/0x190 fs/open.c:141
 __do_sys_truncate fs/open.c:153 [inline]
 __se_sys_truncate fs/open.c:151 [inline]
 __x64_sys_truncate+0x5b/0x70 fs/open.c:151
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f037f38eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff0b0c318 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007f037f5d5fa0 RCX: 00007f037f38eba9
RDX: 0000000000000000 RSI: 00000000000003ff RDI: 0000200000000140
RBP: 00007f037f411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f037f5d5fa0 R14: 00007f037f5d5fa0 R15: 0000000000000002
 </TASK>
ntfs3(loop0): ino=19, "file1" attr_set_size
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(sem->magic != sem): count = 0x1, magic = 0x0, owner = 0xffff888075e03c80, curr 0xffff888075e03c80, list not empty
WARNING: kernel/locking/rwsem.c:1375 at __up_write kernel/locking/rwsem.c:1375 [inline], CPU#1: syz.0.17/6038
WARNING: kernel/locking/rwsem.c:1375 at up_write+0x2d1/0x420 kernel/locking/rwsem.c:1643, CPU#1: syz.0.17/6038
Modules linked in:
CPU: 1 UID: 0 PID: 6038 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:__up_write kernel/locking/rwsem.c:1375 [inline]
RIP: 0010:up_write+0x2d1/0x420 kernel/locking/rwsem.c:1643
Code: c7 c7 00 ea aa 8b 48 c7 c6 60 eb aa 8b 48 8b 54 24 08 48 8b 0c 24 4c 8b 44 24 10 4d 89 e1 41 52 e8 54 57 e6 ff 48 83 c4 08 90 <0f> 0b 90 90 e9 a4 fd ff ff 90 0f 0b 90 e9 8c fe ff ff c6 05 09 ed
RSP: 0018:ffffc90002f878b8 EFLAGS: 00010286
RAX: 01d3ee795f15c600 RBX: ffff888058e20140 RCX: ffff888075e03c80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: dffffc0000000000 R08: ffffc90002f875c7 R09: 1ffff920005f0eb8
R10: dffffc0000000000 R11: fffff520005f0eb9 R12: ffff888075e03c80
R13: ffff888058e201a8 R14: 1ffff1100b1c4035 R15: ffff888058e20198
FS:  00005555647f8500(0000) GS:ffff888125ae8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32563fff CR3: 0000000073aba000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 ntfs_set_size+0x172/0x200 fs/ntfs3/inode.c:865
 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
 notify_change+0xc1a/0xf40 fs/attr.c:546
 do_truncate+0x1a4/0x220 fs/open.c:68
 vfs_truncate+0x493/0x520 fs/open.c:118
 do_sys_truncate+0xdb/0x190 fs/open.c:141
 __do_sys_truncate fs/open.c:153 [inline]
 __se_sys_truncate fs/open.c:151 [inline]
 __x64_sys_truncate+0x5b/0x70 fs/open.c:151
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f037f38eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff0b0c318 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007f037f5d5fa0 RCX: 00007f037f38eba9
RDX: 0000000000000000 RSI: 00000000000003ff RDI: 0000200000000140
RBP: 00007f037f411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f037f5d5fa0 R14: 00007f037f5d5fa0 R15: 0000000000000002
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[Edward Adam Davis]

#syz test

diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 3959f23c487a..180cd984339b 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -472,6 +472,7 @@ static struct inode *ntfs_read_mft(struct inode *inode,
 		/* Records in $Extend are not a files or general directories. */
 		inode->i_op = &ntfs_file_inode_operations;
 		mode = S_IFREG;
+		init_rwsem(&ni->file.run_lock);
 	} else {
 		err = -EINVAL;
 		goto out;

Re: [syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[Tetsuo Handa]

Well, we need to also initialize ni->file.run_lock, for vfs_truncate() now
passes the

	/* For directories it's -EISDIR, for other non-regulars - -EINVAL */
	if (S_ISDIR(inode->i_mode))
		return -EISDIR;
	if (!S_ISREG(inode->i_mode))
		return -EINVAL;

check. But do we really want to pretend as if S_IFREG ?

diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 37cbbee7fa58..ea2193ebf8fc 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -471,6 +471,8 @@ static struct inode *ntfs_read_mft(struct inode *inode,
                   fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) {
                /* Records in $Extend are not a files or general directories. */
                inode->i_op = &ntfs_file_inode_operations;
+               mode = S_IFREG;
+               init_rwsem(&ni->file.run_lock);
        } else {
                err = -EINVAL;
                goto out;

Are records in $Extend expected to be truncated to arbitrary size? Should we
prepend something other than S_IFREG (at least S_IFREG so that truncate()
will fail, or possibly S_IFSOCK so that open() will fail) ?

On 2025/09/16 3:17, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    590b221ed425 Add linux-next specific files for 20250912
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1379b934580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=12a1d1f3a8199632
> dashboard link: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=144aa762580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=117c8762580000

Re: [syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Tested-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com

Tested on:

commit:         c3067c2c Add linux-next specific files for 20250915
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1605fb62580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e269dbc7717119a2
dashboard link: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=104b8e42580000

Note: testing is done by a robot and is best-effort only.

[PATCH Next] ntfs3: init run lock for extend inode

[Edward Adam Davis]

After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.

Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.

Add the run_lock initialization when loading $Extend.

syzbot reported:
INFO: trying to register non-static key.
Call Trace:
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
 register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
 __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
 ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808

Fixes: 4e8011ffec79 ("ntfs3: pretend $Extend records as regular files")
Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
Tested-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ntfs3/inode.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 3959f23c487a..180cd984339b 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -472,6 +472,7 @@ static struct inode *ntfs_read_mft(struct inode *inode,
 		/* Records in $Extend are not a files or general directories. */
 		inode->i_op = &ntfs_file_inode_operations;
 		mode = S_IFREG;
+		init_rwsem(&ni->file.run_lock);
 	} else {
 		err = -EINVAL;
 		goto out;
-- 
2.43.0

Re: [syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[Tetsuo Handa]

On 2025/09/16 12:48, Tetsuo Handa wrote:
> Well, we need to also initialize ni->file.run_lock, for vfs_truncate() now
> passes the
> 
> 	/* For directories it's -EISDIR, for other non-regulars - -EINVAL */
> 	if (S_ISDIR(inode->i_mode))
> 		return -EISDIR;
> 	if (!S_ISREG(inode->i_mode))
> 		return -EINVAL;
> 
> check. But do we really want to pretend as if S_IFREG ?
> 
> diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
> index 37cbbee7fa58..ea2193ebf8fc 100644
> --- a/fs/ntfs3/inode.c
> +++ b/fs/ntfs3/inode.c
> @@ -471,6 +471,8 @@ static struct inode *ntfs_read_mft(struct inode *inode,
>                    fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) {
>                 /* Records in $Extend are not a files or general directories. */
>                 inode->i_op = &ntfs_file_inode_operations;
> +               mode = S_IFREG;
> +               init_rwsem(&ni->file.run_lock);
>         } else {
>                 err = -EINVAL;
>                 goto out;
> 
> Are records in $Extend expected to be truncated to arbitrary size? Should we
> prepend something other than S_IFREG (at least S_IFREG so that truncate()

pretend something other than S_IFREG (at least S_IFDIR so that truncate()

> will fail, or possibly S_IFSOCK so that open() will fail) ?



Well, ntfs_extend_init() verifies that the inode returned as the result of
looking up MFT_REC_EXTEND is S_IFDIR.

	ref.low = cpu_to_le32(MFT_REC_EXTEND);
	ref.high = 0;
	ref.seq = cpu_to_le16(MFT_REC_EXTEND);
	inode = ntfs_iget5(sb, &ref, &NAME_EXTEND);
	if (IS_ERR(inode)) {
		err = PTR_ERR(inode);
		ntfs_err(sb, "Failed to load $Extend (%d).", err);
		inode = NULL;
		goto out;
	}

	/* If ntfs_iget5() reads from disk it never returns bad inode. */
	if (!S_ISDIR(inode->i_mode)) {
		err = -EINVAL;
		goto out;
	}

Then, should ntfs_read_mft() pretend as if S_IFDIR ? Also, are conditions

	} else if (fname && fname->home.low == cpu_to_le32(MFT_REC_EXTEND) &&
		   fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) {
		/* Records in $Extend are not a files or general directories. */
		inode->i_op = &ntfs_file_inode_operations;

correct? These conditions do not check ref.high == 0 and name is "$Extend".
Don't we need to verify ref.high and name here?

Re: [syzbot] [ntfs3?] INFO: trying to register non-static key in ntfs_set_size

[Tetsuo Handa]

On 2025/09/20 18:42, Tetsuo Handa wrote:
> On 2025/09/16 12:48, Tetsuo Handa wrote:
>> Well, we need to also initialize ni->file.run_lock, for vfs_truncate() now
>> passes the
>>
>> 	/* For directories it's -EISDIR, for other non-regulars - -EINVAL */
>> 	if (S_ISDIR(inode->i_mode))
>> 		return -EISDIR;
>> 	if (!S_ISREG(inode->i_mode))
>> 		return -EINVAL;
>>
>> check. But do we really want to pretend as if S_IFREG ?
>>
>> diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
>> index 37cbbee7fa58..ea2193ebf8fc 100644
>> --- a/fs/ntfs3/inode.c
>> +++ b/fs/ntfs3/inode.c
>> @@ -471,6 +471,8 @@ static struct inode *ntfs_read_mft(struct inode *inode,
>>                    fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) {
>>                 /* Records in $Extend are not a files or general directories. */
>>                 inode->i_op = &ntfs_file_inode_operations;
>> +               mode = S_IFREG;
>> +               init_rwsem(&ni->file.run_lock);
>>         } else {
>>                 err = -EINVAL;
>>                 goto out;
>>
>> Are records in $Extend expected to be truncated to arbitrary size? Should we
>> prepend something other than S_IFREG (at least S_IFREG so that truncate()
> 
> pretend something other than S_IFREG (at least S_IFDIR so that truncate()
> 
>> will fail, or possibly S_IFSOCK so that open() will fail) ?

I tested using a legitimate filesystem image, and I came to a conclusion that
pretending as if S_IFREG seems to be OK because normal operations (e.g. read,
truncate) fail with "No such device or address" despite S_IFREG.

Therefore, please apply
https://lkml.kernel.org/r/tencent_F24B651BC22523BA92BB5A337D9E2A1B5F08@qq.com
and send to linux.git .

------------------------------------------------------------
[root@localhost ~]# truncate -s 100M testfile.img
[root@localhost ~]# mkfs.ntfs -F testfile.img
testfile.img is not a block device.
mkntfs forced anyway.
The sector size was not specified for testfile.img and it could not be obtained automatically.  It has been set to 512 bytes.
The partition start sector was not specified for testfile.img and it could not be obtained automatically.  It has been set to 0.
The number of sectors per track was not specified for testfile.img and it could not be obtained automatically.  It has been set to 0.
The number of heads was not specified for testfile.img and it could not be obtained automatically.  It has been set to 0.
Cluster size has been automatically set to 4096 bytes.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
[root@localhost ~]# mount -t ntfs3 -o loop testfile.img /mnt/
for i in '$ObjId' '$Quota' '$Reparse'
do
  stat /mnt/\$Extend/$i
  truncate -s 1024 /mnt/\$Extend/$i
  chmod 7777 /mnt/\$Extend/$i
  chown 1 /mnt/\$Extend/$i
  cat /mnt/\$Extend/\$Reparse
  stat /mnt/\$Extend/$i
  rm -f /mnt/\$Extend/$i
done
  File: /mnt/$Extend/$ObjId
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 25          Links: 1
Access: (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:26:28.077612000 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
truncate: cannot open '/mnt/$Extend/$ObjId' for writing: No such device or address
cat: '/mnt/$Extend/$Reparse': No such device or address
  File: /mnt/$Extend/$ObjId
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 25          Links: 1
Access: (1777/-rwxrwxrwt)  Uid: (    1/     bin)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:28:18.811900400 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
  File: /mnt/$Extend/$Quota
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 24          Links: 1
Access: (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:26:28.077612000 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
truncate: cannot open '/mnt/$Extend/$Quota' for writing: No such device or address
cat: '/mnt/$Extend/$Reparse': No such device or address
  File: /mnt/$Extend/$Quota
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 24          Links: 1
Access: (1777/-rwxrwxrwt)  Uid: (    1/     bin)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:28:18.901901800 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
  File: /mnt/$Extend/$Reparse
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 26          Links: 1
Access: (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:26:28.077612000 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
truncate: cannot open '/mnt/$Extend/$Reparse' for writing: No such device or address
cat: '/mnt/$Extend/$Reparse': No such device or address
  File: /mnt/$Extend/$Reparse
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 7,0     Inode: 26          Links: 1
Access: (1777/-rwxrwxrwt)  Uid: (    1/     bin)   Gid: (    0/    root)
Access: 2025-10-04 19:26:28.077612000 +0900
Modify: 2025-10-04 19:26:28.077612000 +0900
Change: 2025-10-04 19:28:18.983903100 +0900
 Birth: 2025-10-04 19:26:28.077612000 +0900
------------------------------------------------------------

Re: [PATCH Next] ntfs3: init run lock for extend inode

[Konstantin Komarov]

On 9/16/25 07:50, Edward Adam Davis wrote:

> After setting the inode mode of $Extend to a regular file, executing the
> truncate system call will enter the do_truncate() routine, causing the
> run_lock uninitialized error reported by syzbot.
>
> Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
> a regular file, the do_truncate() routine would not be entered.
>
> Add the run_lock initialization when loading $Extend.
>
> syzbot reported:
> INFO: trying to register non-static key.
> Call Trace:
>   dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>   assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
>   register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
>   __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
>   lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
>   down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
>   ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
>   ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
>   ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
>
> Fixes: 4e8011ffec79 ("ntfs3: pretend $Extend records as regular files")
> Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
> Tested-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   fs/ntfs3/inode.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
> index 3959f23c487a..180cd984339b 100644
> --- a/fs/ntfs3/inode.c
> +++ b/fs/ntfs3/inode.c
> @@ -472,6 +472,7 @@ static struct inode *ntfs_read_mft(struct inode *inode,
>   		/* Records in $Extend are not a files or general directories. */
>   		inode->i_op = &ntfs_file_inode_operations;
>   		mode = S_IFREG;
> +		init_rwsem(&ni->file.run_lock);
>   	} else {
>   		err = -EINVAL;
>   		goto out;

Taken, thanks. Will be sent in the next pull request.

Regards,
Konstantin