[v6.6] possible deadlock in hfsplus_get_block

3 views
Skip to first unread message

syzbot

unread,
Jun 17, 2025, 7:25:29 AM6/17/25
to syzkaller...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: c2603c511feb Linux 6.6.93
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11aa55d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=486bade17c8c30b9
dashboard link: https://syzkaller.appspot.com/bug?extid=5620460156f848837a86
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8754f950a6e7/disk-c2603c51.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3b19332dbf63/vmlinux-c2603c51.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cb245e836038/bzImage-c2603c51.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+562046...@syzkaller.appspotmail.com

loop1: detected capacity change from 0 to 1024
============================================
WARNING: possible recursive locking detected
6.6.93-syzkaller #0 Not tainted
--------------------------------------------
syz.1.51/5975 is trying to acquire lock:
ffff888021915f88 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_get_block+0x39f/0x1530 fs/hfsplus/extents.c:260

but task is already holding lock:
ffff8880219173c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:577

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&HFSPLUS_I(inode)->extents_lock);

*** DEADLOCK ***

May be due to missing lock nesting notation

4 locks held by syz.1.51/5975:
#0: ffff88807e676418 (sb_writers#14){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:403
#1: ffff8880219175d0 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:804 [inline]
#1: ffff8880219175d0 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: do_truncate+0x187/0x220 fs/open.c:64
#2: ffff8880219173c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:577
#3: ffff888053ec00f8 (&sbi->alloc_mutex){+.+.}-{3:3}, at: hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182

stack backtrace:
CPU: 0 PID: 5975 Comm: syz.1.51 Not tainted 6.6.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_get_block+0x39f/0x1530 fs/hfsplus/extents.c:260
block_read_full_folio+0x42e/0xf40 fs/buffer.c:2406
filemap_read_folio+0x167/0x760 mm/filemap.c:2420
do_read_cache_folio+0x470/0x7e0 mm/filemap.c:3789
do_read_cache_page+0x32/0x250 mm/filemap.c:3855
read_mapping_page include/linux/pagemap.h:892 [inline]
hfsplus_block_free+0x12c/0x4b0 fs/hfsplus/bitmap.c:185
hfsplus_free_extents+0x176/0xac0 fs/hfsplus/extents.c:363
hfsplus_file_truncate+0x735/0xb40 fs/hfsplus/extents.c:592
hfsplus_setattr+0x1c3/0x280 fs/hfsplus/inode.c:269
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
handle_truncate fs/namei.c:3291 [inline]
do_open fs/namei.c:3636 [inline]
path_openat+0x298c/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_creat fs/open.c:1512 [inline]
__se_sys_creat fs/open.c:1506 [inline]
__x64_sys_creat+0x90/0xb0 fs/open.c:1506
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc4ea38e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc4eb137038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fc4ea5b5fa0 RCX: 00007fc4ea38e929
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000200000000200
RBP: 00007fc4ea410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc4ea5b5fa0 R15: 00007fffe84c8d78
</TASK>
hfsplus: unable to mark blocks free: error -5
hfsplus: can't free extent


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Jun 25, 2025, 11:57:25 PM6/25/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 6282921b6825 Linux 6.6.94
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15b6cf0c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=96da6b2210cda427
dashboard link: https://syzkaller.appspot.com/bug?extid=5620460156f848837a86
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17cd3182580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=169c5b70580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a3bf0d8e22b2/disk-6282921b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d1d442f782d0/vmlinux-6282921b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a8378f4b7e1b/bzImage-6282921b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9fdd1d7141e0/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+562046...@syzkaller.appspotmail.com

syz-executor117[5766]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
loop0: detected capacity change from 0 to 1024
============================================
WARNING: possible recursive locking detected
6.6.94-syzkaller #0 Not tainted
--------------------------------------------
syz-executor117/5766 is trying to acquire lock:
ffff88802ffa9548 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_get_block+0x39f/0x1530 fs/hfsplus/extents.c:260

but task is already holding lock:
ffff88802ffaa988 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:577

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&HFSPLUS_I(inode)->extents_lock);

*** DEADLOCK ***

May be due to missing lock nesting notation

4 locks held by syz-executor117/5766:
#0: ffff88807f10c418 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:403
#1: ffff88802ffaab90 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:804 [inline]
#1: ffff88802ffaab90 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: do_truncate+0x187/0x220 fs/open.c:64
#2: ffff88802ffaa988 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:577
#3: ffff88807e7de0f8 (&sbi->alloc_mutex){+.+.}-{3:3}, at: hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182

stack backtrace:
CPU: 0 PID: 5766 Comm: syz-executor117 Not tainted 6.6.94-syzkaller #0
RIP: 0033:0x7fcb884349f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe247e6288 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fcb8847d05e RCX: 00007fcb884349f9
RDX: 00007fcb88433cf0 RSI: 0000000000000002 RDI: 0000200000000200
RBP: 0031656c69662f2e R08: 00000000000005ee R09: 0000000000000000
R10:


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages