[syzbot] [ntfs3?] possible deadlock in ntfs_look_for_free_space
7 views
Skip to first unread message
syzbot
Nov 8, 2024, 2:38:26āÆAM11/8/24
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 74741a050b79 Add linux-next specific files for 20241107
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13f15d87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3ef0574c9dc8b00
dashboard link: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8993ea1d09da/disk-74741a05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dab7bc3c6e88/vmlinux-74741a05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fda543ad532f/bzImage-74741a05.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc6-next-20241107-syzkaller #0 Not tainted
------------------------------------------------------
syz.1.532/8903 is trying to acquire lock:
ffff888060c52270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
but task is already holding lock:
ffff888059c0efd8 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x13d/0x200 fs/ntfs3/inode.c:852
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_read+0xb1/0xa40 kernel/locking/rwsem.c:1524
run_unpack_ex+0x55e/0x9e0 fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x1f9a/0x37b0 fs/ntfs3/inode.c:537
ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
ntfs_read_hdr+0x700/0xb80 fs/ntfs3/dir.c:383
ntfs_readdir+0x91f/0xf00 fs/ntfs3/dir.c:494
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:403 [inline]
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_set_size+0x161/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x1d1/0xad0 fs/ntfs3/file.c:409
ntfs_setattr+0x2aa/0xb80 fs/ntfs3/file.c:826
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x220/0x310 fs/open.c:65
vfs_truncate+0x2e1/0x3b0 fs/open.c:111
do_sys_truncate+0xdb/0x190 fs/open.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
4 locks held by syz.1.532/8903:
#0: ffff888060c54420 (sb_writers#17){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff888059c0f1c0 (&sb->s_type->i_mutex_key#29){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:817 [inline]
#1: ffff888059c0f1c0 (&sb->s_type->i_mutex_key#29){+.+.}-{4:4}, at: do_truncate+0x20c/0x310 fs/open.c:63
#2: ffff888059c0ef28 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ni_lock fs/ntfs3/ntfs_fs.h:1110 [inline]
#2: ffff888059c0ef28 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ntfs_set_size+0x12e/0x200 fs/ntfs3/inode.c:851
#3: ffff888059c0efd8 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x13d/0x200 fs/ntfs3/inode.c:852
stack backtrace:
CPU: 0 UID: 0 PID: 8903 Comm: syz.1.532 Not tainted 6.12.0-rc6-next-20241107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_set_size+0x161/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x1d1/0xad0 fs/ntfs3/file.c:409
ntfs_setattr+0x2aa/0xb80 fs/ntfs3/file.c:826
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x220/0x310 fs/open.c:65
vfs_truncate+0x2e1/0x3b0 fs/open.c:111
do_sys_truncate+0xdb/0x190 fs/open.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f49bd97e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f49be6ea038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007f49bdb35f80 RCX: 00007f49bd97e719
RDX: 0000000000000000 RSI: 0000000000101000 RDI: 0000000020000080
RBP: 00007f49bd9f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f49bdb35f80 R15: 00007fffc9d8ce08
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 74741a050b79 Add linux-next specific files for 20241107
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13f15d87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3ef0574c9dc8b00
dashboard link: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8993ea1d09da/disk-74741a05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dab7bc3c6e88/vmlinux-74741a05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fda543ad532f/bzImage-74741a05.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc6-next-20241107-syzkaller #0 Not tainted
------------------------------------------------------
syz.1.532/8903 is trying to acquire lock:
ffff888060c52270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
but task is already holding lock:
ffff888059c0efd8 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x13d/0x200 fs/ntfs3/inode.c:852
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_read+0xb1/0xa40 kernel/locking/rwsem.c:1524
run_unpack_ex+0x55e/0x9e0 fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x1f9a/0x37b0 fs/ntfs3/inode.c:537
ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
ntfs_read_hdr+0x700/0xb80 fs/ntfs3/dir.c:383
ntfs_readdir+0x91f/0xf00 fs/ntfs3/dir.c:494
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:403 [inline]
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_set_size+0x161/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x1d1/0xad0 fs/ntfs3/file.c:409
ntfs_setattr+0x2aa/0xb80 fs/ntfs3/file.c:826
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x220/0x310 fs/open.c:65
vfs_truncate+0x2e1/0x3b0 fs/open.c:111
do_sys_truncate+0xdb/0x190 fs/open.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
4 locks held by syz.1.532/8903:
#0: ffff888060c54420 (sb_writers#17){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff888059c0f1c0 (&sb->s_type->i_mutex_key#29){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:817 [inline]
#1: ffff888059c0f1c0 (&sb->s_type->i_mutex_key#29){+.+.}-{4:4}, at: do_truncate+0x20c/0x310 fs/open.c:63
#2: ffff888059c0ef28 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ni_lock fs/ntfs3/ntfs_fs.h:1110 [inline]
#2: ffff888059c0ef28 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ntfs_set_size+0x12e/0x200 fs/ntfs3/inode.c:851
#3: ffff888059c0efd8 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x13d/0x200 fs/ntfs3/inode.c:852
stack backtrace:
CPU: 0 UID: 0 PID: 8903 Comm: syz.1.532 Not tainted 6.12.0-rc6-next-20241107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_set_size+0x161/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x1d1/0xad0 fs/ntfs3/file.c:409
ntfs_setattr+0x2aa/0xb80 fs/ntfs3/file.c:826
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x220/0x310 fs/open.c:65
vfs_truncate+0x2e1/0x3b0 fs/open.c:111
do_sys_truncate+0xdb/0x190 fs/open.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f49bd97e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f49be6ea038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007f49bdb35f80 RCX: 00007f49bd97e719
RDX: 0000000000000000 RSI: 0000000000101000 RDI: 0000000020000080
RBP: 00007f49bd9f139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f49bdb35f80 R15: 00007fffc9d8ce08
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 14, 2025, 7:46:25āÆAM1/14/25
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c45323b7560e Merge tag 'mm-hotfixes-stable-2025-01-13-00-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11732a18580000
kernel config: https://syzkaller.appspot.com/x/.config?x=aadf89e2f6db86cc
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/32d07cc6940f/disk-c45323b7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8e06bc34aa34/vmlinux-c45323b7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0b63902920e8/bzImage-c45323b7.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/66d38d2d76ad/mount_1.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/386eda454648/mount_6.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 4096
ntfs3(loop3): Different NTFS sector size (1024) and media sector size (512).
------------------------------------------------------
syz.3.19/6137 is trying to acquire lock:
ffff8880325ba270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
but task is already holding lock:
ffff88805a99bc70 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_extend_mft+0x160/0x4b0 fs/ntfs3/fsntfs.c:511
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_read+0xb1/0xa40 kernel/locking/rwsem.c:1524
run_unpack_ex+0x55e/0x9e0 fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x1f9a/0x37b0 fs/ntfs3/inode.c:537
ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
ntfs_read_hdr+0x700/0xb80 fs/ntfs3/dir.c:383
ntfs_readdir+0x91f/0xf00 fs/ntfs3/dir.c:494
iterate_dir+0x573/0x800 fs/readdir.c:108
ntfs_look_free_mft+0x77c/0x10c0 fs/ntfs3/fsntfs.c:709
ntfs_create_inode+0x581/0x3760 fs/ntfs3/inode.c:1305
ntfs_create+0x3d/0x50 fs/ntfs3/namei.c:110
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c05/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
#0: ffff8880325bc420 (sb_writers#13){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:516
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: open_last_lookups fs/namei.c:3745 [inline]
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: path_openat+0x89a/0x3590 fs/namei.c:3984
#2: ffff88805a845920 (&ni->ni_lock/6){+.+.}-{4:4}, at: ni_lock_dir fs/ntfs3/ntfs_fs.h:1115 [inline]
#2: ffff88805a845920 (&ni->ni_lock/6){+.+.}-{4:4}, at: ntfs_create_inode+0x215/0x3760 fs/ntfs3/inode.c:1219
#3: ffff8880325ba128 (&wnd->rw_lock/1){+.+.}-{4:4}, at: ntfs_look_free_mft+0x1e5/0x10c0 fs/ntfs3/fsntfs.c:571
#4: ffff88805a99bc70 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_extend_mft+0x160/0x4b0 fs/ntfs3/fsntfs.c:511
stack backtrace:
CPU: 0 UID: 0 PID: 6137 Comm: syz.3.19 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
ntfs_look_free_mft+0x77c/0x10c0 fs/ntfs3/fsntfs.c:709
ntfs_create_inode+0x581/0x3760 fs/ntfs3/inode.c:1305
ntfs_create+0x3d/0x50 fs/ntfs3/namei.c:110
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c05/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
RAX: ffffffffffffffda RBX: 00007f07c9175fa0 RCX: 00007f07c8f85d29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000240
RBP: 00007f07c9001b08 R08: 0000000000000000 R09: 0000000000000000
</TASK>
ntfs3(loop3): ino=0, attr_set_size
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: c45323b7560e Merge tag 'mm-hotfixes-stable-2025-01-13-00-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11732a18580000
kernel config: https://syzkaller.appspot.com/x/.config?x=aadf89e2f6db86cc
dashboard link: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16825bc4580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/32d07cc6940f/disk-c45323b7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8e06bc34aa34/vmlinux-c45323b7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0b63902920e8/bzImage-c45323b7.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/66d38d2d76ad/mount_1.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/386eda454648/mount_6.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
ntfs3(loop3): Different NTFS sector size (1024) and media sector size (512).
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz.3.19/6137 is trying to acquire lock:
ffff8880325ba270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_read+0xb1/0xa40 kernel/locking/rwsem.c:1524
run_unpack_ex+0x55e/0x9e0 fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x1f9a/0x37b0 fs/ntfs3/inode.c:537
ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
ntfs_read_hdr+0x700/0xb80 fs/ntfs3/dir.c:383
ntfs_readdir+0x91f/0xf00 fs/ntfs3/dir.c:494
__do_sys_getdents64 fs/readdir.c:403 [inline]
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_extend_mft+0x188/0x4b0 fs/ntfs3/fsntfs.c:512
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_look_free_mft+0x77c/0x10c0 fs/ntfs3/fsntfs.c:709
ntfs_create_inode+0x581/0x3760 fs/ntfs3/inode.c:1305
ntfs_create+0x3d/0x50 fs/ntfs3/namei.c:110
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c05/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
5 locks held by syz.3.19/6137:
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
#0: ffff8880325bc420 (sb_writers#13){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:516
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: open_last_lookups fs/namei.c:3745 [inline]
#1: ffff88805a845bb8 (&type->i_mutex_dir_key#10){++++}-{4:4}, at: path_openat+0x89a/0x3590 fs/namei.c:3984
#2: ffff88805a845920 (&ni->ni_lock/6){+.+.}-{4:4}, at: ni_lock_dir fs/ntfs3/ntfs_fs.h:1115 [inline]
#2: ffff88805a845920 (&ni->ni_lock/6){+.+.}-{4:4}, at: ntfs_create_inode+0x215/0x3760 fs/ntfs3/inode.c:1219
#3: ffff8880325ba128 (&wnd->rw_lock/1){+.+.}-{4:4}, at: ntfs_look_free_mft+0x1e5/0x10c0 fs/ntfs3/fsntfs.c:571
#4: ffff88805a99bc70 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_extend_mft+0x160/0x4b0 fs/ntfs3/fsntfs.c:511
stack backtrace:
CPU: 0 UID: 0 PID: 6137 Comm: syz.3.19 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_extend_mft+0x188/0x4b0 fs/ntfs3/fsntfs.c:512
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
down_write_nested+0xa2/0x220 kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0x100/0x690 fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1d6/0x990 fs/ntfs3/attrib.c:159
attr_set_size+0x2053/0x4300 fs/ntfs3/attrib.c:574
ntfs_look_free_mft+0x77c/0x10c0 fs/ntfs3/fsntfs.c:709
ntfs_create_inode+0x581/0x3760 fs/ntfs3/inode.c:1305
ntfs_create+0x3d/0x50 fs/ntfs3/namei.c:110
lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c05/0x3590 fs/namei.c:3984
do_filp_open+0x27f/0x4e0 fs/namei.c:4014
do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07c8f85d29
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f07c9de6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f07c9175fa0 RCX: 00007f07c8f85d29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000240
RBP: 00007f07c9001b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f07c9175fa0 R15: 00007fff8eee1d18
</TASK>
ntfs3(loop3): ino=0, attr_set_size
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jan 31, 2025, 5:55:33āÆAM1/31/25
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1950a0af2d55 Merge tag 'arm64-upstream' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10404518580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cc031f8aa606a448
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118aab64580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15865ddf980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f7a210b6e168/disk-1950a0af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fffe4bd5b59c/vmlinux-1950a0af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b5e6fc6340b2/Image-1950a0af.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/8ae15bf11712/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/3b6c55850042/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
ntfs3(loop3): Different NTFS sector size (4096) and media sector size (512).
ntfs3(loop3): Mark volume as dirty due to NTFS errors
------------------------------------------------------
syz-executor323/6469 is trying to acquire lock:
ffff0000c9402270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
but task is already holding lock:
ffff0000dca92dc0 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x130/0x200 fs/ntfs3/inode.c:852
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
down_read+0x58/0x2fc kernel/locking/rwsem.c:1524
run_unpack_ex+0x43c/0x7fc fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x15b4/0x2c60 fs/ntfs3/inode.c:537
dir_search_u+0x298/0x324 fs/ntfs3/dir.c:264
ntfs_lookup+0x108/0x1f8 fs/ntfs3/namei.c:85
lookup_open fs/namei.c:3627 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0xf7c/0x2b14 fs/namei.c:3984
do_filp_open+0x1e8/0x404 fs/namei.c:4014
do_sys_openat2+0x124/0x1b8 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1428
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
4 locks held by syz-executor323/6469:
#0: ffff0000c9404420 (sb_writers#10){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:516
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: do_truncate+0x1ac/0x28c fs/open.c:63
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ni_lock fs/ntfs3/ntfs_fs.h:1110 [inline]
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ntfs_set_size+0x124/0x200 fs/ntfs3/inode.c:851
#3: ffff0000dca92dc0 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x130/0x200 fs/ntfs3/inode.c:852
stack backtrace:
CPU: 0 UID: 0 PID: 6469 Comm: syz-executor323 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x154/0x1c0 kernel/locking/lockdep.c:2074
check_noncircular+0x310/0x404 kernel/locking/lockdep.c:2206
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
HEAD commit: 1950a0af2d55 Merge tag 'arm64-upstream' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10404518580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cc031f8aa606a448
dashboard link: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118aab64580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15865ddf980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f7a210b6e168/disk-1950a0af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fffe4bd5b59c/vmlinux-1950a0af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b5e6fc6340b2/Image-1950a0af.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/8ae15bf11712/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/3b6c55850042/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
ntfs3(loop3): Mark volume as dirty due to NTFS errors
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor323/6469 is trying to acquire lock:
ffff0000c9402270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
run_unpack_ex+0x43c/0x7fc fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x15b4/0x2c60 fs/ntfs3/inode.c:537
dir_search_u+0x298/0x324 fs/ntfs3/dir.c:264
ntfs_lookup+0x108/0x1f8 fs/ntfs3/namei.c:85
lookup_open fs/namei.c:3627 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0xf7c/0x2b14 fs/namei.c:3984
do_filp_open+0x1e8/0x404 fs/namei.c:4014
do_sys_openat2+0x124/0x1b8 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1428
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
#0: ffff0000c9404420 (sb_writers#10){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:516
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: do_truncate+0x1ac/0x28c fs/open.c:63
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ni_lock fs/ntfs3/ntfs_fs.h:1110 [inline]
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ntfs_set_size+0x124/0x200 fs/ntfs3/inode.c:851
#3: ffff0000dca92dc0 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x130/0x200 fs/ntfs3/inode.c:852
stack backtrace:
CPU: 0 UID: 0 PID: 6469 Comm: syz-executor323 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x154/0x1c0 kernel/locking/lockdep.c:2074
check_noncircular+0x310/0x404 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
syzbot
Dec 26, 2025, 10:38:22āÆPM12/26/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [ntfs3?] possible deadlock in ntfs_look_for_free_space
Author: swilc...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From b7ce4cc69bc50a5b436e1023d682e27ea7725e16 Mon Sep 17 00:00:00 2001
From: Szymon Wilczek <swilc...@gmail.com>
Date: Sat, 27 Dec 2025 04:32:44 +0100
Subject: [PATCH] ntfs3: fix circular locking dependency in run_unpack_ex
Syzbot reported a circular locking dependency between wnd->rw_lock
(sbi->used.bitmap) and ni->file.run_lock.
The deadlock scenario:
1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
2. run_unpack_ex() takes wnd->rw_lock then tries to acquire
ni->file.run_lock inside ntfs_refresh_zone().
This creates an AB-BA deadlock.
Fix this by using down_read_trylock() instead of down_read() when
acquiring run_lock in run_unpack_ex(). If the lock is contended,
skip ntfs_refresh_zone() - the MFT zone will be refreshed on the
next MFT operation. This breaks the circular dependency since we
never block waiting for run_lock while holding wnd->rw_lock.
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
Signed-off-by: Szymon Wilczek <swilc...@gmail.com>
---
fs/ntfs3/run.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/fs/ntfs3/run.c b/fs/ntfs3/run.c
index 395b20492525..dc59cad4fa37 100644
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1131,11 +1131,14 @@ int run_unpack_ex(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
struct rw_semaphore *lock =
is_mounted(sbi) ? &sbi->mft.ni->file.run_lock :
NULL;
- if (lock)
- down_read(lock);
- ntfs_refresh_zone(sbi);
- if (lock)
- up_read(lock);
+ if (lock) {
+ if (down_read_trylock(lock)) {
+ ntfs_refresh_zone(sbi);
+ up_read(lock);
+ }
+ } else {
+ ntfs_refresh_zone(sbi);
+ }
}
up_write(&wnd->rw_lock);
if (err)
--
2.52.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [ntfs3?] possible deadlock in ntfs_look_for_free_space
Author: swilc...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From b7ce4cc69bc50a5b436e1023d682e27ea7725e16 Mon Sep 17 00:00:00 2001
From: Szymon Wilczek <swilc...@gmail.com>
Date: Sat, 27 Dec 2025 04:32:44 +0100
Subject: [PATCH] ntfs3: fix circular locking dependency in run_unpack_ex
Syzbot reported a circular locking dependency between wnd->rw_lock
(sbi->used.bitmap) and ni->file.run_lock.
The deadlock scenario:
1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
2. run_unpack_ex() takes wnd->rw_lock then tries to acquire
ni->file.run_lock inside ntfs_refresh_zone().
This creates an AB-BA deadlock.
Fix this by using down_read_trylock() instead of down_read() when
acquiring run_lock in run_unpack_ex(). If the lock is contended,
skip ntfs_refresh_zone() - the MFT zone will be refreshed on the
next MFT operation. This breaks the circular dependency since we
never block waiting for run_lock while holding wnd->rw_lock.
Reported-by: syzbot+d27edf...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
Signed-off-by: Szymon Wilczek <swilc...@gmail.com>
---
fs/ntfs3/run.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/fs/ntfs3/run.c b/fs/ntfs3/run.c
index 395b20492525..dc59cad4fa37 100644
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1131,11 +1131,14 @@ int run_unpack_ex(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
struct rw_semaphore *lock =
is_mounted(sbi) ? &sbi->mft.ni->file.run_lock :
NULL;
- if (lock)
- down_read(lock);
- ntfs_refresh_zone(sbi);
- if (lock)
- up_read(lock);
+ if (lock) {
+ if (down_read_trylock(lock)) {
+ ntfs_refresh_zone(sbi);
+ up_read(lock);
+ }
+ } else {
+ ntfs_refresh_zone(sbi);
+ }
}
up_write(&wnd->rw_lock);
if (err)
--
2.52.0
Reply all
Reply to author
Forward
0 new messages