possible deadlock in hfs_find_init
16 views
Skip to first unread message
syzbot
Apr 22, 2018, 9:02:03 PM4/22/18
to gre...@linuxfoundation.org, kste...@linuxfoundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, pombr...@nexb.com, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot hit the following crash on upstream commit
43f70c960180c11d64ee3e9e53075fe1acd43ff1 (Fri Apr 20 16:08:37 2018 +0000)
Merge tag 'ecryptfs-4.17-rc2-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=b718ec84a87b7e73ade4
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5968078374436864
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=4766076478947328
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6072762028261376
Kernel config:
https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b718ec...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
============================================
WARNING: possible recursive locking detected
4.17.0-rc1+ #9 Not tainted
--------------------------------------------
syzkaller905163/4505 is trying to acquire lock:
00000000cf71528f (&tree->tree_lock){+.+.}, at: hfs_find_init+0x11c/0x180
fs/hfs/bfind.c:28
but task is already holding lock:
000000007d108cde (&tree->tree_lock){+.+.}, at: hfs_find_init+0x11c/0x180
fs/hfs/bfind.c:28
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&tree->tree_lock);
lock(&tree->tree_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syzkaller905163/4505:
#0: 000000005253f77a (&type->s_umount_key#36/1){+.+.}, at: alloc_super
fs/super.c:212 [inline]
#0: 000000005253f77a (&type->s_umount_key#36/1){+.+.}, at:
sget_userns+0x2dd/0xf20 fs/super.c:503
#1: 000000007d108cde (&tree->tree_lock){+.+.}, at:
hfs_find_init+0x11c/0x180 fs/hfs/bfind.c:28
#2: 00000000d9af4d52 (&HFS_I(tree->inode)->extents_lock){+.+.}, at:
hfs_get_block+0x56c/0x850 fs/hfs/extent.c:359
stack backtrace:
CPU: 1 PID: 4505 Comm: syzkaller905163 Not tainted 4.17.0-rc1+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
check_deadlock kernel/locking/lockdep.c:1805 [inline]
validate_chain kernel/locking/lockdep.c:2401 [inline]
__lock_acquire.cold.62+0x18c/0x55b kernel/locking/lockdep.c:3431
lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16d/0x17f0 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
hfs_find_init+0x11c/0x180 fs/hfs/bfind.c:28
hfs_ext_read_extent+0x1b9/0xc20 fs/hfs/extent.c:196
hfs_get_block+0x578/0x850 fs/hfs/extent.c:360
block_read_full_page+0x2c7/0xab0 fs/buffer.c:2236
hfs_readpage+0x1c/0x20 fs/hfs/inode.c:38
do_read_cache_page+0x778/0x13b0 mm/filemap.c:2806
read_cache_page+0x61/0x80 mm/filemap.c:2894
read_mapping_page include/linux/pagemap.h:402 [inline]
__hfs_bnode_create+0x601/0x9f0 fs/hfs/bnode.c:281
hfs_bnode_find+0x2b8/0xb80 fs/hfs/bnode.c:330
hfs_brec_find+0x2f3/0x5b0 fs/hfs/bfind.c:114
hfs_brec_read+0x27/0x120 fs/hfs/bfind.c:153
hfs_cat_find_brec+0x14a/0x400 fs/hfs/catalog.c:186
hfs_fill_super+0x11f4/0x18c0 fs/hfs/super.c:426
mount_bdev+0x30c/0x3e0 fs/super.c:1165
hfs_mount+0x34/0x40 fs/hfs/super.c:463
mount_fs+0xae/0x328 fs/super.c:1268
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2517 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2847
ksys_mount+0x12d/0x140 fs/namespace.c:3063
__do_sys_mount fs/namespace.c:3077 [inline]
__se_sys_mount fs/namespace.c:3074 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442e4a
RSP: 002b:00007ffe9b4269d8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000258 RCX: 0000000000442e4a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe9b4269e0
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on upstream commit
43f70c960180c11d64ee3e9e53075fe1acd43ff1 (Fri Apr 20 16:08:37 2018 +0000)
Merge tag 'ecryptfs-4.17-rc2-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=b718ec84a87b7e73ade4
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5968078374436864
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=4766076478947328
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6072762028261376
Kernel config:
https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b718ec...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
============================================
WARNING: possible recursive locking detected
4.17.0-rc1+ #9 Not tainted
--------------------------------------------
syzkaller905163/4505 is trying to acquire lock:
00000000cf71528f (&tree->tree_lock){+.+.}, at: hfs_find_init+0x11c/0x180
fs/hfs/bfind.c:28
but task is already holding lock:
000000007d108cde (&tree->tree_lock){+.+.}, at: hfs_find_init+0x11c/0x180
fs/hfs/bfind.c:28
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&tree->tree_lock);
lock(&tree->tree_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syzkaller905163/4505:
#0: 000000005253f77a (&type->s_umount_key#36/1){+.+.}, at: alloc_super
fs/super.c:212 [inline]
#0: 000000005253f77a (&type->s_umount_key#36/1){+.+.}, at:
sget_userns+0x2dd/0xf20 fs/super.c:503
#1: 000000007d108cde (&tree->tree_lock){+.+.}, at:
hfs_find_init+0x11c/0x180 fs/hfs/bfind.c:28
#2: 00000000d9af4d52 (&HFS_I(tree->inode)->extents_lock){+.+.}, at:
hfs_get_block+0x56c/0x850 fs/hfs/extent.c:359
stack backtrace:
CPU: 1 PID: 4505 Comm: syzkaller905163 Not tainted 4.17.0-rc1+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
check_deadlock kernel/locking/lockdep.c:1805 [inline]
validate_chain kernel/locking/lockdep.c:2401 [inline]
__lock_acquire.cold.62+0x18c/0x55b kernel/locking/lockdep.c:3431
lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16d/0x17f0 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
hfs_find_init+0x11c/0x180 fs/hfs/bfind.c:28
hfs_ext_read_extent+0x1b9/0xc20 fs/hfs/extent.c:196
hfs_get_block+0x578/0x850 fs/hfs/extent.c:360
block_read_full_page+0x2c7/0xab0 fs/buffer.c:2236
hfs_readpage+0x1c/0x20 fs/hfs/inode.c:38
do_read_cache_page+0x778/0x13b0 mm/filemap.c:2806
read_cache_page+0x61/0x80 mm/filemap.c:2894
read_mapping_page include/linux/pagemap.h:402 [inline]
__hfs_bnode_create+0x601/0x9f0 fs/hfs/bnode.c:281
hfs_bnode_find+0x2b8/0xb80 fs/hfs/bnode.c:330
hfs_brec_find+0x2f3/0x5b0 fs/hfs/bfind.c:114
hfs_brec_read+0x27/0x120 fs/hfs/bfind.c:153
hfs_cat_find_brec+0x14a/0x400 fs/hfs/catalog.c:186
hfs_fill_super+0x11f4/0x18c0 fs/hfs/super.c:426
mount_bdev+0x30c/0x3e0 fs/super.c:1165
hfs_mount+0x34/0x40 fs/hfs/super.c:463
mount_fs+0xae/0x328 fs/super.c:1268
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2517 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2847
ksys_mount+0x12d/0x140 fs/namespace.c:3063
__do_sys_mount fs/namespace.c:3077 [inline]
__se_sys_mount fs/namespace.c:3074 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442e4a
RSP: 002b:00007ffe9b4269d8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000258 RCX: 0000000000442e4a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe9b4269e0
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Reply all
Reply to author
Forward
0 new messages