[v6.1] possible deadlock in ntfs_fiemap

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: e3a87a10f259 Linux 6.1.21
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17c586d5c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b49b0405a60858ed
dashboard link: https://syzkaller.appspot.com/bug?extid=b40a7a91431612fd07c7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ed3d1f3e75e6/disk-e3a87a10.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d8e44c8c75c/vmlinux-e3a87a10.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cebe803ea4fa/bzImage-e3a87a10.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b40a7a...@syzkaller.appspotmail.com

ntfs3: loop2: Different NTFS' sector size (2048) and media sector size (512)
======================================================
WARNING: possible circular locking dependency detected
6.1.21-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/5726 is trying to acquire lock:
ffff888074d41058 (&mm->mmap_lock#2){++++}-{3:3}, at: __might_fault+0x8f/0x110 mm/memory.c:5640

but task is already holding lock:
ffff888071358860 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
ffff888071358860 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xfb/0x170 fs/ntfs3/file.c:1243

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->ni_lock/4){+.+.}-{3:3}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5669
__mutex_lock_common+0x1d4/0x2520 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
attr_data_get_block+0x429/0x2520 fs/ntfs3/attrib.c:921
ntfs_file_mmap+0x452/0x7e0 fs/ntfs3/file.c:387
call_mmap include/linux/fs.h:2210 [inline]
mmap_region+0xf96/0x1fa0 mm/mmap.c:2625
do_mmap+0x8c5/0xf60 mm/mmap.c:1411
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:520
ksys_mmap_pgoff+0x4f5/0x6d0 mm/mmap.c:1457
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (&mm->mmap_lock#2){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3098 [inline]
check_prevs_add kernel/locking/lockdep.c:3217 [inline]
validate_chain+0x1667/0x58e0 kernel/locking/lockdep.c:3832
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5056
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5669
__might_fault+0xb2/0x110 mm/memory.c:5641
_copy_to_user+0x26/0x130 lib/usercopy.c:36
copy_to_user include/linux/uaccess.h:169 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ni_fiemap+0x1007/0x1230 fs/ntfs3/frecord.c:1943
ntfs_fiemap+0x12e/0x170 fs/ntfs3/file.c:1245
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x18e9/0x2a90 fs/ioctl.c:810
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock#2);
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock#2);

*** DEADLOCK ***

1 lock held by syz-executor.2/5726:
#0: ffff888071358860 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
#0: ffff888071358860 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xfb/0x170 fs/ntfs3/file.c:1243

stack backtrace:
CPU: 1 PID: 5726 Comm: syz-executor.2 Not tainted 6.1.21-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2178
check_prev_add kernel/locking/lockdep.c:3098 [inline]
check_prevs_add kernel/locking/lockdep.c:3217 [inline]
validate_chain+0x1667/0x58e0 kernel/locking/lockdep.c:3832
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5056
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5669
__might_fault+0xb2/0x110 mm/memory.c:5641
_copy_to_user+0x26/0x130 lib/usercopy.c:36
copy_to_user include/linux/uaccess.h:169 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ni_fiemap+0x1007/0x1230 fs/ntfs3/frecord.c:1943
ntfs_fiemap+0x12e/0x170 fs/ntfs3/file.c:1245
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x18e9/0x2a90 fs/ioctl.c:810
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2323e8c0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2324b55168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2323fabf80 RCX: 00007f2323e8c0f9
RDX: 0000000020000440 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 00007f2323ee7b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff2cf6f4af R14: 00007f2324b55300 R15: 0000000000022000
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 115472395b0a Linux 5.15.104
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110d438ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5592cc4916e1c2f
dashboard link: https://syzkaller.appspot.com/bug?extid=bd1c9712e5f211375acd

compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:

disk image: https://storage.googleapis.com/syzbot-assets/6c2c0744c7e0/disk-11547239.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ea4c5ecca4f/vmlinux-11547239.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a231dbcf423/bzImage-11547239.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+bd1c97...@syzkaller.appspotmail.com

ntfs3: loop4: Different NTFS' sector size (2048) and media sector size (512)
ntfs3: loop4: Mark volume as dirty due to NTFS errors

======================================================
WARNING: possible circular locking dependency detected

5.15.104-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/22210 is trying to acquire lock:
ffff88801a1b4e28 (&mm->mmap_lock#2){++++}-{3:3}, at: __might_fault+0x91/0x110 mm/memory.c:5296

but task is already holding lock:

ffff88802c074ac0 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1107 [inline]
ffff88802c074ac0 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xfb/0x170 fs/ntfs3/file.c:1223

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->ni_lock/4){+.+.}-{3:3}:

lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
ni_lock fs/ntfs3/ntfs_fs.h:1107 [inline]
attr_data_get_block+0x41f/0x24e0 fs/ntfs3/attrib.c:846
ntfs_file_mmap+0x458/0x7e0 fs/ntfs3/file.c:389
call_mmap include/linux/fs.h:2108 [inline]
mmap_region+0x10e7/0x1670 mm/mmap.c:1791
do_mmap+0x78d/0xe00 mm/mmap.c:1575
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:551
ksys_mmap_pgoff+0x559/0x780 mm/mmap.c:1624

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80

entry_SYSCALL_64_after_hwframe+0x61/0xcb

-> #0 (&mm->mmap_lock#2){++++}-{3:3}:

check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__might_fault+0xb4/0x110 mm/memory.c:5297
_copy_to_user+0x28/0x130 lib/usercopy.c:35
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ni_fiemap+0x1007/0x1230 fs/ntfs3/frecord.c:1894
ntfs_fiemap+0x12e/0x170 fs/ntfs3/file.c:1225
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1934/0x2b70 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:860

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80

entry_SYSCALL_64_after_hwframe+0x61/0xcb

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock#2);
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock#2);

*** DEADLOCK ***

1 lock held by syz-executor.4/22210:
#0: ffff88802c074ac0 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1107 [inline]
#0: ffff88802c074ac0 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xfb/0x170 fs/ntfs3/file.c:1223

stack backtrace:
CPU: 1 PID: 22210 Comm: syz-executor.4 Not tainted 5.15.104-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106

check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__might_fault+0xb4/0x110 mm/memory.c:5297
_copy_to_user+0x28/0x130 lib/usercopy.c:35
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ni_fiemap+0x1007/0x1230 fs/ntfs3/frecord.c:1894
ntfs_fiemap+0x12e/0x170 fs/ntfs3/file.c:1225
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1934/0x2b70 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:860

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80

entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fc94179f0f9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc93fd11168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc9418bef80 RCX: 00007fc94179f0f9
RDX: 0000000020000040 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 00007fc9417fab39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007ffd11c42b0f R14: 00007fc93fd11300 R15: 0000000000022000

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fe1186280000
kernel config: https://syzkaller.appspot.com/x/.config?x=508f7a387ef8f82b

dashboard link: https://syzkaller.appspot.com/bug?extid=bd1c9712e5f211375acd
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e93a5a280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122abe6a280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a8ab2bd416bb/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c358e3d58bb2/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c82319bbaeb8/Image-9d6bde85.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ef180c358807/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd1c97...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 4096

======================================================
WARNING: possible circular locking dependency detected

5.15.112-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor126/3962 is trying to acquire lock:
ffff0000c84579d8 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0xa0/0x128 mm/memory.c:5310

but task is already holding lock:

ffff0000dc7df700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
ffff0000dc7df700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xec/0x168 fs/ntfs3/file.c:1223

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->ni_lock/4){+.+.}-{3:3}:

__mutex_lock_common+0x194/0x2154 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0xa4/0xf8 kernel/locking/mutex.c:743
ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
attr_data_get_block+0x35c/0x1c18 fs/ntfs3/attrib.c:846
ntfs_file_mmap+0x3a4/0x688 fs/ntfs3/file.c:389
call_mmap include/linux/fs.h:2108 [inline]
mmap_region+0xcb4/0x12f0 mm/mmap.c:1791
do_mmap+0x6c0/0xcec mm/mmap.c:1575
vm_mmap_pgoff+0x1a4/0x2b4 mm/util.c:551
ksys_mmap_pgoff+0x458/0x668 mm/mmap.c:1624
__do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
__se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
__arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

-> #0 (&mm->mmap_lock){++++}-{3:3}:

check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]

validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5311
_copy_to_user include/linux/uaccess.h:174 [inline]
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x1b4/0x44c fs/ioctl.c:144
ni_fiemap+0xc40/0xe10 fs/ntfs3/frecord.c:1894
ntfs_fiemap+0x110/0x168 fs/ntfs3/file.c:1225
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1bcc/0x2a38 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0xe4/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&ni->ni_lock/4);

lock(&mm->mmap_lock);
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock);

*** DEADLOCK ***

1 lock held by syz-executor126/3962:
#0: ffff0000dc7df700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1108 [inline]
#0: ffff0000dc7df700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xec/0x168 fs/ntfs3/file.c:1223

stack backtrace:
CPU: 1 PID: 3962 Comm: syz-executor126 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2011
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2133

check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]

validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5311
_copy_to_user include/linux/uaccess.h:174 [inline]
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x1b4/0x44c fs/ioctl.c:144
ni_fiemap+0xc40/0xe10 fs/ntfs3/frecord.c:1894
ntfs_fiemap+0x110/0x168 fs/ntfs3/file.c:1225
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1bcc/0x2a38 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__arm64_sys_ioctl+0xe4/0x1c8 fs/ioctl.c:860
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: fa74641fb6b9 Linux 6.1.29
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=108d0aee280000
kernel config: https://syzkaller.appspot.com/x/.config?x=7454aa89ac475d7b

dashboard link: https://syzkaller.appspot.com/bug?extid=b40a7a91431612fd07c7
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10644672280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129f2e86280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/53e4da6b145c/disk-fa74641f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adeb1a2cfa86/vmlinux-fa74641f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c976f1155d08/Image-fa74641f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9c200d63f95f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b40a7a...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 4096

======================================================
WARNING: possible circular locking dependency detected

6.1.29-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor315/4216 is trying to acquire lock:
ffff0000d44cc948 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x9c/0x124 mm/memory.c:5654

but task is already holding lock:

ffff0000df187700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1109 [inline]
ffff0000df187700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xec/0x168 fs/ntfs3/file.c:1243

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->ni_lock/4){+.+.}-{3:3}:

__mutex_lock_common+0x190/0x21a0 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799
ni_lock fs/ntfs3/ntfs_fs.h:1109 [inline]
attr_data_get_block+0x330/0x1bdc fs/ntfs3/attrib.c:921
ntfs_file_mmap+0x3a4/0x688 fs/ntfs3/file.c:387
call_mmap include/linux/fs.h:2210 [inline]
mmap_region+0xdd0/0x1a98 mm/mmap.c:2663
do_mmap+0xa00/0x1108 mm/mmap.c:1411
vm_mmap_pgoff+0x1a4/0x2b4 mm/util.c:520
ksys_mmap_pgoff+0x3c8/0x5b0 mm/mmap.c:1457

__do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
__se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
__arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]

invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581

-> #0 (&mm->mmap_lock){++++}-{3:3}:

check_prev_add kernel/locking/lockdep.c:3098 [inline]
check_prevs_add kernel/locking/lockdep.c:3217 [inline]

validate_chain kernel/locking/lockdep.c:3832 [inline]
__lock_acquire+0x3338/0x764c kernel/locking/lockdep.c:5056
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5669
__might_fault+0xc4/0x124 mm/memory.c:5655
_copy_to_user include/linux/uaccess.h:143 [inline]
copy_to_user include/linux/uaccess.h:169 [inline]
fiemap_fill_next_extent+0x1b4/0x424 fs/ioctl.c:144
ni_fiemap+0xc40/0xe10 fs/ntfs3/frecord.c:1943
ntfs_fiemap+0x110/0x168 fs/ntfs3/file.c:1245
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x194c/0x26f8 fs/ioctl.c:810
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__arm64_sys_ioctl+0xe4/0x1c8 fs/ioctl.c:856
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&ni->ni_lock/4);

lock(&mm->mmap_lock);
lock(&ni->ni_lock/4);
lock(&mm->mmap_lock);

*** DEADLOCK ***

1 lock held by syz-executor315/4216:
#0: ffff0000df187700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ni_lock fs/ntfs3/ntfs_fs.h:1109 [inline]
#0: ffff0000df187700 (&ni->ni_lock/4){+.+.}-{3:3}, at: ntfs_fiemap+0xec/0x168 fs/ntfs3/file.c:1243

stack backtrace:
CPU: 0 PID: 4216 Comm: syz-executor315 Not tainted 6.1.29-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106

dump_stack+0x1c/0x5c lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2056
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2178

check_prev_add kernel/locking/lockdep.c:3098 [inline]
check_prevs_add kernel/locking/lockdep.c:3217 [inline]

validate_chain kernel/locking/lockdep.c:3832 [inline]
__lock_acquire+0x3338/0x764c kernel/locking/lockdep.c:5056
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5669
__might_fault+0xc4/0x124 mm/memory.c:5655
_copy_to_user include/linux/uaccess.h:143 [inline]
copy_to_user include/linux/uaccess.h:169 [inline]
fiemap_fill_next_extent+0x1b4/0x424 fs/ioctl.c:144
ni_fiemap+0xc40/0xe10 fs/ntfs3/frecord.c:1943
ntfs_fiemap+0x110/0x168 fs/ntfs3/file.c:1245
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x194c/0x26f8 fs/ioctl.c:810
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__arm64_sys_ioctl+0xe4/0x1c8 fs/ioctl.c:856
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581