possible deadlock in nbd_open

8 views

Skip to first unread message

syzbot

unread,

Nov 23, 2022, 7:35:55 PM11/23/22

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15559039880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=1499b08ad22121686f59
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1499b0...@syzkaller.appspotmail.com

block nbd3: shutting down sockets
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/13309 is trying to acquire lock:
00000000b16339f0 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658

but task is already holding lock:
000000008f6e32c5 (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
000000008f6e32c5 (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #8 (&nbd->config_lock){+.+.}:
nbd_open+0x2e2/0x6f0 drivers/block/nbd.c:1428
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #7 (nbd_index_mutex){+.+.}:
nbd_open+0x73/0x6f0 drivers/block/nbd.c:1415
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #6 (&bdev->bd_mutex){+.+.}:
blkdev_put+0x30/0x520 fs/block_dev.c:1839
btrfs_close_bdev fs/btrfs/volumes.c:1033 [inline]
btrfs_close_one_device fs/btrfs/volumes.c:1057 [inline]
close_fs_devices.part.0+0x24d/0x8e0 fs/btrfs/volumes.c:1085
close_fs_devices fs/btrfs/volumes.c:1117 [inline]
btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1103
close_ctree+0x3c8/0x850 fs/btrfs/disk-io.c:4047
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_anon_super+0x36/0x60 fs/super.c:1032
btrfs_kill_super+0x49/0x550 fs/btrfs/super.c:2221
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #5 (&fs_devs->device_list_mutex){+.+.}:
btrfs_finish_chunk_alloc+0x27b/0xf90 fs/btrfs/volumes.c:4938
btrfs_create_pending_block_groups+0x242/0x590 fs/btrfs/extent-tree.c:10134
__btrfs_end_transaction+0x21a/0xb00 fs/btrfs/transaction.c:855
flush_space+0xa41/0xee0 fs/btrfs/extent-tree.c:4861
btrfs_async_reclaim_metadata_space+0x466/0x1050 fs/btrfs/extent-tree.c:4977
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #4 (sb_internal#2){.+.+}:
sb_start_intwrite include/linux/fs.h:1626 [inline]
start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528
btrfs_dirty_inode+0xe3/0x210 fs/btrfs/inode.c:6165
btrfs_update_time+0x33b/0x3d0 fs/btrfs/inode.c:6207
update_time fs/inode.c:1675 [inline]
touch_atime+0x23c/0x2a0 fs/inode.c:1746
file_accessed include/linux/fs.h:2123 [inline]
btrfs_file_mmap+0x11b/0x160 fs/btrfs/file.c:2274
call_mmap include/linux/fs.h:1826 [inline]
mmap_region+0xc94/0x16b0 mm/mmap.c:1757
do_mmap+0x8e8/0x1080 mm/mmap.c:1530
do_mmap_pgoff include/linux/mm.h:2329 [inline]
vm_mmap_pgoff+0x197/0x200 mm/util.c:357
ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #3 (&mm->mmap_sem){++++}:
_copy_to_iter+0x3d0/0xea0 lib/iov_iter.c:564
copy_to_iter include/linux/uio.h:106 [inline]
skb_copy_datagram_iter+0x469/0x9e0 net/core/datagram.c:431
skb_copy_datagram_msg include/linux/skbuff.h:3347 [inline]
unix_dgram_recvmsg+0x3b7/0xdb0 net/unix/af_unix.c:2180
sock_recvmsg_nosec net/socket.c:859 [inline]
sock_recvmsg net/socket.c:866 [inline]
sock_recvmsg net/socket.c:862 [inline]
__sys_recvfrom+0x249/0x3a0 net/socket.c:1956
__do_sys_recvfrom net/socket.c:1974 [inline]
__se_sys_recvfrom net/socket.c:1970 [inline]
__x64_sys_recvfrom+0xdd/0x1b0 net/socket.c:1970
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #2 (&u->iolock){+.+.}:
unix_stream_read_generic+0x2de/0x1a40 net/unix/af_unix.c:2322
unix_stream_recvmsg+0xb1/0xf0 net/unix/af_unix.c:2505
sock_recvmsg_nosec net/socket.c:859 [inline]
sock_recvmsg net/socket.c:866 [inline]
sock_recvmsg+0xca/0x110 net/socket.c:862
sock_xmit+0x37d/0x5c0 drivers/block/nbd.c:439
nbd_read_stat drivers/block/nbd.c:633 [inline]
recv_work+0x1e9/0x1100 drivers/block/nbd.c:732
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #1 ((work_completion)(&args->work)){+.+.}:
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #0 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}:
flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
nbd_config_put+0x3c5/0x870 drivers/block/nbd.c:1175
nbd_release+0xf4/0x170 drivers/block/nbd.c:1461
__blkdev_put+0x636/0x870 fs/block_dev.c:1819
blkdev_close+0x86/0xb0 fs/block_dev.c:1888
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
(wq_completion)"knbd%d-recv"nbd->index --> nbd_index_mutex --> &nbd->config_lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&nbd->config_lock);
lock(nbd_index_mutex);
lock(&nbd->config_lock);
lock((wq_completion)"knbd%d-recv"nbd->index);

*** DEADLOCK ***

2 locks held by syz-executor.3/13309:
#0: 00000000af00b7a3 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0xfc/0x870 fs/block_dev.c:1806
#1: 000000008f6e32c5 (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
#1: 000000008f6e32c5 (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

stack backtrace:
CPU: 1 PID: 13309 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
nbd_config_put+0x3c5/0x870 drivers/block/nbd.c:1175
nbd_release+0xf4/0x170 drivers/block/nbd.c:1461
__blkdev_put+0x636/0x870 fs/block_dev.c:1819
blkdev_close+0x86/0xb0 fs/block_dev.c:1888
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f82723ba109
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f827092c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007f82724d9f80 RCX: 00007f82723ba109
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f8272415ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe43fe5c2f R14: 00007f827092c300 R15: 0000000000022000
block nbd3: shutting down sockets
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.0'.
block nbd3: shutting down sockets
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.0'.
block nbd3: shutting down sockets
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.1'.
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
EXT4-fs (loop3): Unrecognized mount option "smackfsfloor=(" or missing value
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.0'.
EXT4-fs (loop3): Unrecognized mount option "smackfsfloor=(" or missing value
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.1'.
audit: type=1800 audit(1669250069.420:207): pid=13538 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13894 res=0
audit: type=1804 audit(1669250069.420:208): pid=13538 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1798866365/syzkaller.giaQAP/1348/bus" dev="sda1" ino=13894 res=1
EXT4-fs (loop3): Unrecognized mount option "smackfsfloor=(" or missing value
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.1'.
base_sock_release(000000001208e6f1) sk=00000000e59db609
EXT4-fs (loop3): Unrecognized mount option "smackfsfloor=(" or missing value
base_sock_release(000000004f30acf2) sk=00000000acb891e0
base_sock_release(000000007e4cf550) sk=00000000a4fbb7c9
audit: type=1800 audit(1669250070.240:209): pid=13612 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13912 res=0
audit: type=1804 audit(1669250070.240:210): pid=13612 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1798866365/syzkaller.giaQAP/1349/bus" dev="sda1" ino=13912 res=1
audit: type=1800 audit(1669250070.420:211): pid=13630 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=13920 res=0
audit: type=1804 audit(1669250070.440:212): pid=13630 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir3363194935/syzkaller.0uvR8h/1306/bus" dev="sda1" ino=13920 res=1
audit: type=1800 audit(1669250071.160:213): pid=13651 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=13912 res=0
audit: type=1804 audit(1669250071.190:214): pid=13651 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir1213818898/syzkaller.N2st10/1293/bus" dev="sda1" ino=13912 res=1
audit: type=1800 audit(1669250071.210:215): pid=13656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13936 res=0
audit: type=1804 audit(1669250071.210:216): pid=13656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1798866365/syzkaller.giaQAP/1350/bus" dev="sda1" ino=13936 res=1
audit: type=1800 audit(1669250071.470:217): pid=13680 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=13947 res=0
audit: type=1804 audit(1669250071.470:218): pid=13680 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir3363194935/syzkaller.0uvR8h/1307/bus" dev="sda1" ino=13947 res=1
audit: type=1800 audit(1669250071.790:219): pid=13693 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13916 res=0
audit: type=1804 audit(1669250071.820:220): pid=13693 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1798866365/syzkaller.giaQAP/1351/bus" dev="sda1" ino=13916 res=1
audit: type=1800 audit(1669250072.080:221): pid=13709 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=13951 res=0
audit: type=1800 audit(1669250072.080:222): pid=13712 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=13952 res=0
kauditd_printk_skb: 4 callbacks suppressed
audit: type=1800 audit(1669250076.550:227): pid=14163 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=13872 res=0
audit: type=1800 audit(1669250076.550:228): pid=14165 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13967 res=0
audit: type=1800 audit(1669250076.550:229): pid=14164 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.1" name="bus" dev="sda1" ino=13977 res=0
audit: type=1804 audit(1669250076.550:230): pid=14163 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir3363194935/syzkaller.0uvR8h/1309/bus" dev="sda1" ino=13872 res=1
audit: type=1804 audit(1669250076.580:231): pid=14164 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir3600564644/syzkaller.XaDzKV/1440/bus" dev="sda1" ino=13977 res=1
audit: type=1804 audit(1669250076.580:232): pid=14165 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1798866365/syzkaller.giaQAP/1352/bus" dev="sda1" ino=13967 res=1
audit: type=1800 audit(1669250076.620:233): pid=14175 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=13979 res=0

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Dec 4, 2022, 8:15:44 AM12/4/22

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y

console output: https://syzkaller.appspot.com/x/log.txt?x=11096337880000

kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=1499b08ad22121686f59
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=119c33bd880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz

mounted in repro: https://storage.googleapis.com/syzbot-assets/a34295159d44/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1499b0...@syzkaller.appspotmail.com

BTRFS info (device loop5): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (667)
block nbd4: shutting down sockets
======================================================
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (698)

WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------

syz-executor.4/625 is trying to acquire lock:
0000000095197c66 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658

but task is already holding lock:

000000002045c1cf (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
000000002045c1cf (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

2 locks held by syz-executor.4/625:
#0: 00000000efa7cf4a (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0xfc/0x870 fs/block_dev.c:1806
#1: 000000002045c1cf (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
#1: 000000002045c1cf (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

stack backtrace:
CPU: 1 PID: 625 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0

RIP: 0033:0x7ff01b416f8b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffefedd9e50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000009 RCX: 00007ff01b416f8b
RDX: 00007ff01afde8d0 RSI: ffffffffffffffff RDI: 0000000000000008
RBP: 00007ff01b586980 R08: 0000000000000000 R09: 00007ff01afd9000
R10: 00007ff01afde8d8 R11: 0000000000000293 R12: 0000000000184292
R13: 00007ffefedd9f50 R14: 00007ff01b584f80 R15: 0000000000000032
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (676)
block nbd1: shutting down sockets
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (710)
BTRFS info (device loop3): using free space tree
BTRFS info (device loop3): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (695)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (759)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (727)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (734)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (772)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (731)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (777)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (781)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (759)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (754)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (767)
BTRFS info (device loop4): using free space tree
BTRFS info (device loop4): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (787)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (792)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (781)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (759)
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (816)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (832)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (877)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor.3 (825)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (881)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (884)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (835)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (895)
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (921)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (924)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (956)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (961)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (928)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (979)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor.3 (934)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (947)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (985)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (988)
BTRFS info (device loop4): using free space tree
BTRFS info (device loop4): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (980)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (985)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (995)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (961)
BTRFS info (device loop3): using free space tree
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (998)
BTRFS info (device loop3): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (961)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1022)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (979)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (1025)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (961)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (1035)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (988)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (1058)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (985)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1061)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (979)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1081)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (956)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (1086)
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (1098)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1108)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1103)
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (1172)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1169)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (1202)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (1208)
BTRFS info (device loop2): using free space tree
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor.3 (1186)
BTRFS info (device loop2): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (1248)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (1218)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1223)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (1244)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (1245)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1224)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (1264)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor.3 (1262)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (1248)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (1255)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (1245)
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1281)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (1264)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor.3 (1295)
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (1245)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1290)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (1244)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (1303)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (1264)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1323)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (1248)
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (1368)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (1391)
BTRFS info (device loop3): using free space tree
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (1381)
BTRFS info (device loop3): has skinny extents
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (1441)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1393)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (1439)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (1416)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (1469)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (1421)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (1436)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor.0 (1434)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (1475)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (1444)
BTRFS warning (device <unknown>): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (1441)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor.4 (1472)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (1439)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (1479)

syzbot

unread,

Jan 7, 2023, 10:02:37 AM1/7/23

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y

console output: https://syzkaller.appspot.com/x/log.txt?x=10b9dcd6480000

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b9a18a480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110c9de6480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz

mounted in repro: https://storage.googleapis.com/syzbot-assets/5609c3b93dde/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1499b0...@syzkaller.appspotmail.com

block nbd1: shutting down sockets
block nbd0: shutting down sockets

block nbd4: shutting down sockets

block nbd2: shutting down sockets

======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------

syz-executor228/8129 is trying to acquire lock:
00000000da7025a4 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658

but task is already holding lock:

000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #10 (&nbd->config_lock){+.+.}:

nbd_open+0x2e2/0x6f0 drivers/block/nbd.c:1428
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #9 (nbd_index_mutex){+.+.}:

nbd_open+0x73/0x6f0 drivers/block/nbd.c:1415
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #8 (&bdev->bd_mutex){+.+.}:

blkdev_put+0x30/0x520 fs/block_dev.c:1839
btrfs_close_bdev fs/btrfs/volumes.c:1033 [inline]
btrfs_close_one_device fs/btrfs/volumes.c:1057 [inline]
close_fs_devices.part.0+0x24d/0x8e0 fs/btrfs/volumes.c:1085
close_fs_devices fs/btrfs/volumes.c:1117 [inline]
btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1103
close_ctree+0x3c8/0x850 fs/btrfs/disk-io.c:4047
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_anon_super+0x36/0x60 fs/super.c:1032
btrfs_kill_super+0x49/0x550 fs/btrfs/super.c:2221
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #7 (&fs_devs->device_list_mutex){+.+.}:
btrfs_run_dev_stats+0xbb/0xa80 fs/btrfs/volumes.c:7111
commit_cowonly_roots+0x1ce/0xc30 fs/btrfs/transaction.c:1172
btrfs_commit_transaction+0x94a/0x2480 fs/btrfs/transaction.c:2218
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #6 (&fs_info->tree_log_mutex){+.+.}:
btrfs_commit_transaction+0x8c2/0x2480 fs/btrfs/transaction.c:2176
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #5 (&fs_info->reloc_mutex){+.+.}:
btrfs_commit_transaction+0x80b/0x2480 fs/btrfs/transaction.c:2120
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #4 (sb_internal#2){.+.+}:
sb_start_intwrite include/linux/fs.h:1626 [inline]
start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528
btrfs_dirty_inode+0xe3/0x210 fs/btrfs/inode.c:6165
btrfs_update_time+0x33b/0x3d0 fs/btrfs/inode.c:6207
update_time fs/inode.c:1675 [inline]
touch_atime+0x23c/0x2a0 fs/inode.c:1746
file_accessed include/linux/fs.h:2123 [inline]
btrfs_file_mmap+0x11b/0x160 fs/btrfs/file.c:2274
call_mmap include/linux/fs.h:1826 [inline]
mmap_region+0xc94/0x16b0 mm/mmap.c:1757
do_mmap+0x8e8/0x1080 mm/mmap.c:1530
do_mmap_pgoff include/linux/mm.h:2329 [inline]
vm_mmap_pgoff+0x197/0x200 mm/util.c:357
ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #3 (&mm->mmap_sem){++++}:
_copy_to_iter+0x3d0/0xea0 lib/iov_iter.c:564
copy_to_iter include/linux/uio.h:106 [inline]
skb_copy_datagram_iter+0x469/0x9e0 net/core/datagram.c:431
skb_copy_datagram_msg include/linux/skbuff.h:3347 [inline]

unix_stream_read_actor+0x78/0xc0 net/unix/af_unix.c:2489
unix_stream_read_generic+0x8b9/0x1a40 net/unix/af_unix.c:2410

unix_stream_recvmsg+0xb1/0xf0 net/unix/af_unix.c:2505
sock_recvmsg_nosec net/socket.c:859 [inline]
sock_recvmsg net/socket.c:866 [inline]

sock_recvmsg net/socket.c:862 [inline]
sock_read_iter+0x339/0x470 net/socket.c:944
call_read_iter include/linux/fs.h:1815 [inline]
new_sync_read fs/read_write.c:406 [inline]
__vfs_read+0x518/0x750 fs/read_write.c:418
vfs_read+0x194/0x3c0 fs/read_write.c:452
ksys_read+0x12b/0x2a0 fs/read_write.c:579

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
get_signal+0x3f2/0x1f70 kernel/signal.c:2589
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163

prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
(wq_completion)"knbd%d-recv"nbd->index --> nbd_index_mutex --> &nbd->config_lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&nbd->config_lock);
lock(nbd_index_mutex);
lock(&nbd->config_lock);
lock((wq_completion)"knbd%d-recv"nbd->index);

*** DEADLOCK ***

2 locks held by syz-executor228/8129:
#0: 000000001d3ce4bb (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0xfc/0x870 fs/block_dev.c:1806
#1: 000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock lib/refcount.c:311 [inline]
#1: 000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 lib/refcount.c:306

stack backtrace:
CPU: 1 PID: 8129 Comm: syz-executor228 Not tainted 4.19.211-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
nbd_config_put+0x3c5/0x870 drivers/block/nbd.c:1175
nbd_release+0xf4/0x170 drivers/block/nbd.c:1461
__blkdev_put+0x636/0x870 fs/block_dev.c:1819
blkdev_close+0x86/0xb0 fs/block_dev.c:1888
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113

RIP: 0033:0x7f64923ffc99
Code: Bad RIP value.
RSP: 002b:00007fffe684ab58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007f64923ffc99
RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007fffe684ab80 R09: 00007fffe684ab80
R10: 00007fffe684ab80 R11: 0000000000000246 R12: 00007f64923beab0
R13: 00007fffe684abb0 R14: 00007fffe684ab90 R15: 0000000000000000
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor228 (8670)
btrfs_printk: 26 callbacks suppressed
BTRFS info (device loop1): enabling inode map caching
BTRFS warning (device <unknown>): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (8680)
BTRFS info (device loop1): force clearing of disk cache
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor228 (8686)
BTRFS info (device loop1): disabling free space tree
BTRFS info (device loop1): setting 8 feature flag
BTRFS info (device loop1): use lzo compression, level 0

BTRFS info (device loop1): has skinny extents

BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor228 (8682)
BTRFS warning (device <unknown>): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (8677)
BTRFS warning (device <unknown>): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (8692)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (8708)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor228 (8685)
BTRFS warning (device <unknown>): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (8699)
BTRFS warning (device <unknown>): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor228 (8684)
BTRFS info (device loop1): clearing free space tree
BTRFS info (device loop1): clearing 1 ro feature flag
BTRFS info (device loop1): clearing 2 ro feature flag
BTRFS info (device loop1): enabling inode map caching
BTRFS info (device loop1): force clearing of disk cache
BTRFS info (device loop1): disabling free space tree
BTRFS info (device loop1): setting 8 feature flag
BTRFS info (device loop1): use lzo compression, level 0

BTRFS info (device loop1): has skinny extents

BTRFS info (device loop1): clearing free space tree
BTRFS info (device loop1): clearing 1 ro feature flag
BTRFS info (device loop1): clearing 2 ro feature flag
BTRFS info (device loop1): enabling inode map caching
BTRFS info (device loop1): force clearing of disk cache
BTRFS info (device loop1): disabling free space tree
BTRFS info (device loop1): setting 8 feature flag
BTRFS info (device loop1): use lzo compression, level 0

BTRFS info (device loop1): has skinny extents

block nbd3: shutting down sockets

==================================================================
BUG: KASAN: use-after-free in btrfs_search_slot+0x1cca/0x1ee0 fs/btrfs/ctree.c:2793
Read of size 8 at addr ffff8880abe0c770 by task btrfs-ino-cache/9337

CPU: 0 PID: 9337 Comm: btrfs-ino-cache Not tainted 4.19.211-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118

print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
btrfs_search_slot+0x1cca/0x1ee0 fs/btrfs/ctree.c:2793
caching_kthread+0x275/0x970 fs/btrfs/inode-map.c:61

kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 9306:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
btrfs_alloc_root fs/btrfs/disk-io.c:1220 [inline]
btrfs_read_tree_root+0x94/0x560 fs/btrfs/disk-io.c:1421
btrfs_read_fs_root fs/btrfs/disk-io.c:1467 [inline]
btrfs_get_fs_root+0x239/0x890 fs/btrfs/disk-io.c:1601
btrfs_read_fs_root_no_name fs/btrfs/disk-io.h:80 [inline]
open_ctree+0x469c/0x61e0 fs/btrfs/disk-io.c:3181
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8123:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
btrfs_put_fs_root fs/btrfs/disk-io.h:111 [inline]
btrfs_free_fs_root+0x1e6/0x260 fs/btrfs/disk-io.c:3861
btrfs_free_fs_roots+0x2ef/0x4d0 fs/btrfs/disk-io.c:2092
close_ctree+0x306/0x850 fs/btrfs/disk-io.c:4017

generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_anon_super+0x36/0x60 fs/super.c:1032
btrfs_kill_super+0x49/0x550 fs/btrfs/super.c:2221
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880abe0c580
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 496 bytes inside of
4096-byte region [ffff8880abe0c580, ffff8880abe0d580)
The buggy address belongs to the page:
page:ffffea0002af8300 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea000251f888 ffffea000254dd08 ffff88813bff0dc0
raw: 0000000000000000 ffff8880abe0c580 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880abe0c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880abe0c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880abe0c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880abe0c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880abe0c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reply all

Reply to author

Forward

0 new messages