possible deadlock in map_mft_record
5 views
Skip to first unread message
syzbot
Oct 9, 2022, 3:52:31 PM10/9/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13929642880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=780cf5325e371630f195
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+780cf5...@syzkaller.appspotmail.com
Y�4��`Ҙ: renamed from lo
ntfs: volume version 3.1.
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/23854 is trying to acquire lock:
000000004be56e46 (&ni->mrec_lock){+.+.}, at: map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
but task is already holding lock:
00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
syz-executor.5 (23764): drop_caches: 1
-> #1 (&rl->lock){++++}:
ntfs_read_block fs/ntfs/aops.c:265 [inline]
ntfs_readpage+0x1909/0x21b0 fs/ntfs/aops.c:452
do_read_cache_page+0x533/0x1170 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
ntfs_map_page fs/ntfs/aops.h:89 [inline]
ntfs_sync_mft_mirror+0x24f/0x1d00 fs/ntfs/mft.c:494
write_mft_record_nolock+0x13d2/0x16c0 fs/ntfs/mft.c:801
write_mft_record fs/ntfs/mft.h:109 [inline]
__ntfs_write_inode+0x609/0xe10 fs/ntfs/inode.c:3064
write_inode fs/fs-writeback.c:1244 [inline]
__writeback_single_inode+0x733/0x11d0 fs/fs-writeback.c:1442
writeback_sb_inodes+0x537/0xef0 fs/fs-writeback.c:1647
wb_writeback+0x28d/0xcc0 fs/fs-writeback.c:1820
wb_do_writeback fs/fs-writeback.c:1965 [inline]
wb_workfn+0x29b/0x1250 fs/fs-writeback.c:2006
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
-> #0 (&ni->mrec_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
syz-executor.5 (23764): drop_caches: 1
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rl->lock);
lock(&ni->mrec_lock);
lock(&rl->lock);
lock(&ni->mrec_lock);
*** DEADLOCK ***
4 locks held by syz-executor.1/23854:
#0: 000000004d2b7fcd (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767
#1: 0000000049189886 (sb_writers#20){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
#1: 0000000049189886 (sb_writers#20){.+.+}, at: vfs_write+0x463/0x540 fs/read_write.c:548
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: ntfs_file_write_iter+0x79/0x23b0 fs/ntfs/file.c:1946
#3: 00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
stack backtrace:
CPU: 0 PID: 23854 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
syz-executor.5 (23764): drop_caches: 1
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
syz-executor.5 (23764): drop_caches: 1
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe0065ca5a9
syz-executor.5 (23764): drop_caches: 1
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe004f3e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fe0066ebf80 RCX: 00007fe0065ca5a9
RDX: 0000000000000070 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fe006625580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe36b87fdf R14: 00007fe004f3e300 R15: 0000000000022000
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
ntfs: volume version 3.1.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
mmap: syz-executor.3 (24147) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
* 29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13929642880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=780cf5325e371630f195
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+780cf5...@syzkaller.appspotmail.com
Y�4��`Ҙ: renamed from lo
ntfs: volume version 3.1.
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/23854 is trying to acquire lock:
000000004be56e46 (&ni->mrec_lock){+.+.}, at: map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
but task is already holding lock:
00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
syz-executor.5 (23764): drop_caches: 1
-> #1 (&rl->lock){++++}:
ntfs_read_block fs/ntfs/aops.c:265 [inline]
ntfs_readpage+0x1909/0x21b0 fs/ntfs/aops.c:452
do_read_cache_page+0x533/0x1170 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
ntfs_map_page fs/ntfs/aops.h:89 [inline]
ntfs_sync_mft_mirror+0x24f/0x1d00 fs/ntfs/mft.c:494
write_mft_record_nolock+0x13d2/0x16c0 fs/ntfs/mft.c:801
write_mft_record fs/ntfs/mft.h:109 [inline]
__ntfs_write_inode+0x609/0xe10 fs/ntfs/inode.c:3064
write_inode fs/fs-writeback.c:1244 [inline]
__writeback_single_inode+0x733/0x11d0 fs/fs-writeback.c:1442
writeback_sb_inodes+0x537/0xef0 fs/fs-writeback.c:1647
wb_writeback+0x28d/0xcc0 fs/fs-writeback.c:1820
wb_do_writeback fs/fs-writeback.c:1965 [inline]
wb_workfn+0x29b/0x1250 fs/fs-writeback.c:2006
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
-> #0 (&ni->mrec_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
syz-executor.5 (23764): drop_caches: 1
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rl->lock);
lock(&ni->mrec_lock);
lock(&rl->lock);
lock(&ni->mrec_lock);
*** DEADLOCK ***
4 locks held by syz-executor.1/23854:
#0: 000000004d2b7fcd (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767
#1: 0000000049189886 (sb_writers#20){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
#1: 0000000049189886 (sb_writers#20){.+.+}, at: vfs_write+0x463/0x540 fs/read_write.c:548
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: ntfs_file_write_iter+0x79/0x23b0 fs/ntfs/file.c:1946
#3: 00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
stack backtrace:
CPU: 0 PID: 23854 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
syz-executor.5 (23764): drop_caches: 1
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
syz-executor.5 (23764): drop_caches: 1
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe0065ca5a9
syz-executor.5 (23764): drop_caches: 1
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe004f3e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fe0066ebf80 RCX: 00007fe0065ca5a9
RDX: 0000000000000070 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fe006625580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe36b87fdf R14: 00007fe004f3e300 R15: 0000000000022000
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
ntfs: volume version 3.1.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
mmap: syz-executor.3 (24147) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
* 29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 12, 2023, 3:05:44 PM1/12/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15b5a902480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1686480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c5c0429a6082/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+780cf5...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
00000000e032c785 (&lcnbmp_mrec_lock_key){+.+.}, at: map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
but task is already holding lock:
000000008e8ded6c (&vol->lcnbmp_lock){+.+.}, at: ntfs_put_super+0x398/0x16f0 fs/ntfs/super.c:2295
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&vol->lcnbmp_lock){+.+.}:
__ntfs_cluster_free+0x129/0xbd0 fs/ntfs/lcnalloc.c:876
ntfs_cluster_free fs/ntfs/lcnalloc.h:110 [inline]
ntfs_truncate+0x157c/0x2820 fs/ntfs/inode.c:2707
ntfs_truncate_vfs fs/ntfs/inode.c:2875 [inline]
ntfs_setattr+0x1b6/0x620 fs/ntfs/inode.c:2925
notify_change+0x70b/0xfc0 fs/attr.c:334
do_truncate+0x134/0x1f0 fs/open.c:63
handle_truncate fs/namei.c:3009 [inline]
do_last fs/namei.c:3427 [inline]
path_openat+0x2308/0x2df0 fs/namei.c:3537
do_file_open_root+0x265/0x4f0 fs/namei.c:3595
file_open_root+0x279/0x390 fs/open.c:1066
do_handle_open+0x368/0x650 fs/fhandle.c:232
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&lcnbmp_mrec_lock_key){+.+.}:
ntfs_commit_inode fs/ntfs/inode.h:315 [inline]
ntfs_put_super+0x117b/0x16f0 fs/ntfs/super.c:2296
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
lock(&lcnbmp_mrec_lock_key);
lock(&vol->lcnbmp_lock);
lock(&lcnbmp_mrec_lock_key);
*** DEADLOCK ***
2 locks held by syz-executor339/8134:
#0: 00000000fcff927b (&type->s_umount_key#47){+.+.}, at: deactivate_super+0x16c/0x1a0 fs/super.c:359
#1: 000000008e8ded6c (&vol->lcnbmp_lock){+.+.}, at: ntfs_put_super+0x398/0x16f0 fs/ntfs/super.c:2295
stack backtrace:
CPU: 0 PID: 8134 Comm: syz-executor339 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
__ntfs_write_inode+0xa4/0xe10 fs/ntfs/inode.c:2992
ntfs_commit_inode fs/ntfs/inode.h:315 [inline]
ntfs_put_super+0x117b/0x16f0 fs/ntfs/super.c:2296
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ff633870a49
Code: Bad RIP value.
RSP: 002b:00007ffc6b2983d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff633905330 RCX: 00007ff633870a49
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: f
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=780cf5325e371630f195
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1241892c480000
dashboard link: https://syzkaller.appspot.com/bug?extid=780cf5325e371630f195
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1686480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+780cf5...@syzkaller.appspotmail.com
ntfs: volume version 3.1.
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor339/8134 is trying to acquire lock:
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
00000000e032c785 (&lcnbmp_mrec_lock_key){+.+.}, at: map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
__ntfs_cluster_free+0x129/0xbd0 fs/ntfs/lcnalloc.c:876
ntfs_cluster_free fs/ntfs/lcnalloc.h:110 [inline]
ntfs_truncate+0x157c/0x2820 fs/ntfs/inode.c:2707
ntfs_truncate_vfs fs/ntfs/inode.c:2875 [inline]
ntfs_setattr+0x1b6/0x620 fs/ntfs/inode.c:2925
notify_change+0x70b/0xfc0 fs/attr.c:334
do_truncate+0x134/0x1f0 fs/open.c:63
handle_truncate fs/namei.c:3009 [inline]
do_last fs/namei.c:3427 [inline]
path_openat+0x2308/0x2df0 fs/namei.c:3537
do_file_open_root+0x265/0x4f0 fs/namei.c:3595
file_open_root+0x279/0x390 fs/open.c:1066
do_handle_open+0x368/0x650 fs/fhandle.c:232
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&lcnbmp_mrec_lock_key){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
__ntfs_write_inode+0xa4/0xe10 fs/ntfs/inode.c:2992
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_commit_inode fs/ntfs/inode.h:315 [inline]
ntfs_put_super+0x117b/0x16f0 fs/ntfs/super.c:2296
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&vol->lcnbmp_lock);
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&lcnbmp_mrec_lock_key);
lock(&vol->lcnbmp_lock);
lock(&lcnbmp_mrec_lock_key);
*** DEADLOCK ***
2 locks held by syz-executor339/8134:
#0: 00000000fcff927b (&type->s_umount_key#47){+.+.}, at: deactivate_super+0x16c/0x1a0 fs/super.c:359
#1: 000000008e8ded6c (&vol->lcnbmp_lock){+.+.}, at: ntfs_put_super+0x398/0x16f0 fs/ntfs/super.c:2295
stack backtrace:
CPU: 0 PID: 8134 Comm: syz-executor339 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
__ntfs_write_inode+0xa4/0xe10 fs/ntfs/inode.c:2992
ntfs_commit_inode fs/ntfs/inode.h:315 [inline]
ntfs_put_super+0x117b/0x16f0 fs/ntfs/super.c:2296
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ff633870a49
Code: Bad RIP value.
RSP: 002b:00007ffc6b2983d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff633905330 RCX: 00007ff633870a49
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: f
Reply all
Reply to author
Forward
0 new messages