Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=13929642880000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link:
https://syzkaller.appspot.com/bug?extid=780cf5325e371630f195
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+780cf5...@syzkaller.appspotmail.com
Y�4��`Ҙ: renamed from lo
ntfs: volume version 3.1.
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/23854 is trying to acquire lock:
000000004be56e46 (&ni->mrec_lock){+.+.}, at: map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
but task is already holding lock:
00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
syz-executor.5 (23764): drop_caches: 1
-> #1 (&rl->lock){++++}:
ntfs_read_block fs/ntfs/aops.c:265 [inline]
ntfs_readpage+0x1909/0x21b0 fs/ntfs/aops.c:452
do_read_cache_page+0x533/0x1170 mm/filemap.c:2828
read_mapping_page include/linux/pagemap.h:402 [inline]
ntfs_map_page fs/ntfs/aops.h:89 [inline]
ntfs_sync_mft_mirror+0x24f/0x1d00 fs/ntfs/mft.c:494
write_mft_record_nolock+0x13d2/0x16c0 fs/ntfs/mft.c:801
write_mft_record fs/ntfs/mft.h:109 [inline]
__ntfs_write_inode+0x609/0xe10 fs/ntfs/inode.c:3064
write_inode fs/fs-writeback.c:1244 [inline]
__writeback_single_inode+0x733/0x11d0 fs/fs-writeback.c:1442
writeback_sb_inodes+0x537/0xef0 fs/fs-writeback.c:1647
wb_writeback+0x28d/0xcc0 fs/fs-writeback.c:1820
wb_do_writeback fs/fs-writeback.c:1965 [inline]
wb_workfn+0x29b/0x1250 fs/fs-writeback.c:2006
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
-> #0 (&ni->mrec_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
syz-executor.5 (23764): drop_caches: 1
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rl->lock);
lock(&ni->mrec_lock);
lock(&rl->lock);
lock(&ni->mrec_lock);
*** DEADLOCK ***
4 locks held by syz-executor.1/23854:
#0: 000000004d2b7fcd (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767
#1: 0000000049189886 (sb_writers#20){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
#1: 0000000049189886 (sb_writers#20){.+.+}, at: vfs_write+0x463/0x540 fs/read_write.c:548
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
#2: 00000000d599332e (&sb->s_type->i_mutex_key#25){+.+.}, at: ntfs_file_write_iter+0x79/0x23b0 fs/ntfs/file.c:1946
#3: 00000000e672da82 (&rl->lock){++++}, at: ntfs_attr_extend_allocation+0x22c/0x34c0 fs/ntfs/attrib.c:1991
stack backtrace:
CPU: 0 PID: 23854 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
syz-executor.5 (23764): drop_caches: 1
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
syz-executor.5 (23764): drop_caches: 1
map_mft_record+0x3c/0xc70 fs/ntfs/mft.c:168
ntfs_attr_extend_allocation+0x236/0x34c0 fs/ntfs/attrib.c:1992
ntfs_prepare_file_for_write fs/ntfs/file.c:412 [inline]
ntfs_file_write_iter+0x6c9/0x23b0 fs/ntfs/file.c:1949
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe0065ca5a9
syz-executor.5 (23764): drop_caches: 1
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe004f3e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fe0066ebf80 RCX: 00007fe0065ca5a9
RDX: 0000000000000070 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fe006625580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe36b87fdf R14: 00007fe004f3e300 R15: 0000000000022000
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
syz-executor.5 (23764): drop_caches: 1
ntfs: volume version 3.1.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
mmap: syz-executor.3 (24147) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
(unnamed net_device) (uninitialized): Device bond_slave_1 is not our slave
(unnamed net_device) (uninitialized): option active_slave: invalid value (bond_slave_1)
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs warning (device sda1): ext4_group_add:1682: No reserved GDT blocks, can't resize
FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
* 29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.