[syzbot] [exfat?] possible deadlock in fat_count_free_clusters
22 views
Skip to first unread message
syzbot
Nov 10, 2024, 6:11:28 PM11/10/24
to hiro...@mail.parknet.co.jp, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9705ecb6a595/disk-929beafb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dbdd1f64b9b8/vmlinux-929beafb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3f70d07a929b/bzImage-929beafb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a5d8c6...@syzkaller.appspotmail.com
FAT-fs (loop3): error, invalid access to FAT (entry 0x0000616b)
======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc6-next-20241108-syzkaller #0 Not tainted
------------------------------------------------------
syz.3.2125/17744 is trying to acquire lock:
ffff8880691980b0 (&sbi->fat_lock){+.+.}-{4:4}, at: lock_fat fs/fat/fatent.c:281 [inline]
ffff8880691980b0 (&sbi->fat_lock){+.+.}-{4:4}, at: fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
but task is already holding lock:
ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: queue_limits_start_update include/linux/blkdev.h:944 [inline]
ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&q->limits_lock){+.+.}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
queue_limits_start_update include/linux/blkdev.h:944 [inline]
loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
loop_set_block_size drivers/block/loop.c:1473 [inline]
lo_simple_ioctl drivers/block/loop.c:1496 [inline]
lo_ioctl+0x1351/0x1f50 drivers/block/loop.c:1559
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&q->q_usage_counter(io)#17){++++}-{0:0}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
bio_queue_enter block/blk.h:75 [inline]
blk_mq_submit_bio+0x1510/0x2490 block/blk-mq.c:3095
__submit_bio+0x2c2/0x560 block/blk-core.c:629
__submit_bio_noacct_mq block/blk-core.c:710 [inline]
submit_bio_noacct_nocheck+0x4d3/0xe30 block/blk-core.c:739
submit_bh fs/buffer.c:2819 [inline]
__bread_slow fs/buffer.c:1264 [inline]
__bread_gfp+0x23c/0x400 fs/buffer.c:1488
sb_bread include/linux/buffer_head.h:346 [inline]
fat12_ent_bread+0x155/0x540 fs/fat/fatent.c:77
fat_ent_read_block+0x3e4/0x530 fs/fat/fatent.c:445
fat_alloc_clusters+0x4ee/0x11c0 fs/fat/fatent.c:493
fat_add_cluster fs/fat/inode.c:107 [inline]
__fat_get_block fs/fat/inode.c:154 [inline]
fat_get_block+0x4c4/0xd00 fs/fat/inode.c:189
__block_write_begin_int+0x50c/0x1a70 fs/buffer.c:2116
block_write_begin fs/buffer.c:2226 [inline]
cont_write_begin+0x6e2/0x9d0 fs/buffer.c:2577
fat_write_begin+0x76/0x140 fs/fat/inode.c:228
generic_perform_write+0x344/0x6d0 mm/filemap.c:4055
generic_file_write_iter+0xae/0x310 mm/filemap.c:4182
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&sbi->fat_lock){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
lock_fat fs/fat/fatent.c:281 [inline]
fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
fat_statfs+0x139/0x450 fs/fat/inode.c:834
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x13b/0x2c0 fs/statfs.c:90
loop_config_discard drivers/block/loop.c:798 [inline]
loop_reconfigure_limits+0x5fe/0x9f0 drivers/block/loop.c:1012
loop_configure+0x77e/0xeb0 drivers/block/loop.c:1093
lo_ioctl+0x846/0x1f50
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);
*** DEADLOCK ***
2 locks held by syz.3.2125/17744:
#0: ffff88802541fb60 (&lo->lo_mutex){+.+.}-{4:4}, at: loop_global_lock_killable drivers/block/loop.c:120 [inline]
#0: ffff88802541fb60 (&lo->lo_mutex){+.+.}-{4:4}, at: loop_configure+0x1f7/0xeb0 drivers/block/loop.c:1044
#1: ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: queue_limits_start_update include/linux/blkdev.h:944 [inline]
#1: ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
stack backtrace:
CPU: 0 UID: 0 PID: 17744 Comm: syz.3.2125 Not tainted 6.12.0-rc6-next-20241108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
lock_fat fs/fat/fatent.c:281 [inline]
fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
fat_statfs+0x139/0x450 fs/fat/inode.c:834
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x13b/0x2c0 fs/statfs.c:90
loop_config_discard drivers/block/loop.c:798 [inline]
loop_reconfigure_limits+0x5fe/0x9f0 drivers/block/loop.c:1012
loop_configure+0x77e/0xeb0 drivers/block/loop.c:1093
lo_ioctl+0x846/0x1f50
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9752d7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9753abd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9752f36058 RCX: 00007f9752d7e719
RDX: 00000000200002c0 RSI: 0000000000004c0a RDI: 0000000000000008
RBP: 00007f9752df139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9752f36058 R15: 00007ffe36e679e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9705ecb6a595/disk-929beafb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dbdd1f64b9b8/vmlinux-929beafb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3f70d07a929b/bzImage-929beafb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a5d8c6...@syzkaller.appspotmail.com
FAT-fs (loop3): error, invalid access to FAT (entry 0x0000616b)
======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc6-next-20241108-syzkaller #0 Not tainted
------------------------------------------------------
syz.3.2125/17744 is trying to acquire lock:
ffff8880691980b0 (&sbi->fat_lock){+.+.}-{4:4}, at: lock_fat fs/fat/fatent.c:281 [inline]
ffff8880691980b0 (&sbi->fat_lock){+.+.}-{4:4}, at: fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
but task is already holding lock:
ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: queue_limits_start_update include/linux/blkdev.h:944 [inline]
ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&q->limits_lock){+.+.}-{4:4}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
queue_limits_start_update include/linux/blkdev.h:944 [inline]
loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
loop_set_block_size drivers/block/loop.c:1473 [inline]
lo_simple_ioctl drivers/block/loop.c:1496 [inline]
lo_ioctl+0x1351/0x1f50 drivers/block/loop.c:1559
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&q->q_usage_counter(io)#17){++++}-{0:0}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
bio_queue_enter block/blk.h:75 [inline]
blk_mq_submit_bio+0x1510/0x2490 block/blk-mq.c:3095
__submit_bio+0x2c2/0x560 block/blk-core.c:629
__submit_bio_noacct_mq block/blk-core.c:710 [inline]
submit_bio_noacct_nocheck+0x4d3/0xe30 block/blk-core.c:739
submit_bh fs/buffer.c:2819 [inline]
__bread_slow fs/buffer.c:1264 [inline]
__bread_gfp+0x23c/0x400 fs/buffer.c:1488
sb_bread include/linux/buffer_head.h:346 [inline]
fat12_ent_bread+0x155/0x540 fs/fat/fatent.c:77
fat_ent_read_block+0x3e4/0x530 fs/fat/fatent.c:445
fat_alloc_clusters+0x4ee/0x11c0 fs/fat/fatent.c:493
fat_add_cluster fs/fat/inode.c:107 [inline]
__fat_get_block fs/fat/inode.c:154 [inline]
fat_get_block+0x4c4/0xd00 fs/fat/inode.c:189
__block_write_begin_int+0x50c/0x1a70 fs/buffer.c:2116
block_write_begin fs/buffer.c:2226 [inline]
cont_write_begin+0x6e2/0x9d0 fs/buffer.c:2577
fat_write_begin+0x76/0x140 fs/fat/inode.c:228
generic_perform_write+0x344/0x6d0 mm/filemap.c:4055
generic_file_write_iter+0xae/0x310 mm/filemap.c:4182
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&sbi->fat_lock){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
lock_fat fs/fat/fatent.c:281 [inline]
fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
fat_statfs+0x139/0x450 fs/fat/inode.c:834
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x13b/0x2c0 fs/statfs.c:90
loop_config_discard drivers/block/loop.c:798 [inline]
loop_reconfigure_limits+0x5fe/0x9f0 drivers/block/loop.c:1012
loop_configure+0x77e/0xeb0 drivers/block/loop.c:1093
lo_ioctl+0x846/0x1f50
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);
*** DEADLOCK ***
2 locks held by syz.3.2125/17744:
#0: ffff88802541fb60 (&lo->lo_mutex){+.+.}-{4:4}, at: loop_global_lock_killable drivers/block/loop.c:120 [inline]
#0: ffff88802541fb60 (&lo->lo_mutex){+.+.}-{4:4}, at: loop_configure+0x1f7/0xeb0 drivers/block/loop.c:1044
#1: ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: queue_limits_start_update include/linux/blkdev.h:944 [inline]
#1: ffff88802533deb0 (&q->limits_lock){+.+.}-{4:4}, at: loop_reconfigure_limits+0x287/0x9f0 drivers/block/loop.c:1003
stack backtrace:
CPU: 0 UID: 0 PID: 17744 Comm: syz.3.2125 Not tainted 6.12.0-rc6-next-20241108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
lock_fat fs/fat/fatent.c:281 [inline]
fat_count_free_clusters+0x156/0xe70 fs/fat/fatent.c:724
fat_statfs+0x139/0x450 fs/fat/inode.c:834
statfs_by_dentry fs/statfs.c:66 [inline]
vfs_statfs+0x13b/0x2c0 fs/statfs.c:90
loop_config_discard drivers/block/loop.c:798 [inline]
loop_reconfigure_limits+0x5fe/0x9f0 drivers/block/loop.c:1012
loop_configure+0x77e/0xeb0 drivers/block/loop.c:1093
lo_ioctl+0x846/0x1f50
blkdev_ioctl+0x57d/0x6a0 block/ioctl.c:693
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9752d7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9753abd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9752f36058 RCX: 00007f9752d7e719
RDX: 00000000200002c0 RSI: 0000000000004c0a RDI: 0000000000000008
RBP: 00007f9752df139e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9752f36058 R15: 00007ffe36e679e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
OGAWA Hirofumi
Nov 11, 2024, 8:07:30 AM11/11/24
to Jens Axboe, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Hi,
syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
> syzbot found the following issue on:
>
> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
This patch is to fix the above race. Please check this.
Thanks
From: OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
Subject: [PATCH] loop: Fix ABBA locking race
Date: Mon, 11 Nov 2024 21:53:36 +0900
Current loop calls vfs_statfs() while holding the q->limits_lock. If
FS takes some locking in vfs_statfs callback, this may lead to ABBA
locking bug (at least, FAT fs has this issue actually).
So this patch calls vfs_statfs() outside q->limits_locks instead,
because looks like there is no reason to hold q->limits_locks while
getting discard configs.
Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);
*** DEADLOCK ***
Reported-by: syzbot+a5d8c6...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
Signed-off-by: OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
---
drivers/block/loop.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 78a7bb2..5f3ce51 100644
--- a/drivers/block/loop.c 2024-09-16 13:45:20.253220178 +0900
+++ b/drivers/block/loop.c 2024-11-11 21:51:00.910135443 +0900
@@ -770,12 +770,11 @@ static void loop_sysfs_exit(struct loop_
&loop_attribute_group);
}
-static void loop_config_discard(struct loop_device *lo,
- struct queue_limits *lim)
+static void loop_get_discard_config(struct loop_device *lo,
+ u32 *granularity, u32 *max_discard_sectors)
{
struct file *file = lo->lo_backing_file;
struct inode *inode = file->f_mapping->host;
- u32 granularity = 0, max_discard_sectors = 0;
struct kstatfs sbuf;
/*
@@ -788,8 +787,9 @@ static void loop_config_discard(struct l
if (S_ISBLK(inode->i_mode)) {
struct request_queue *backingq = bdev_get_queue(I_BDEV(inode));
- max_discard_sectors = backingq->limits.max_write_zeroes_sectors;
- granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
+ *max_discard_sectors =
+ backingq->limits.max_write_zeroes_sectors;
+ *granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
queue_physical_block_size(backingq);
/*
@@ -797,16 +797,9 @@ static void loop_config_discard(struct l
* image a.k.a. discard.
*/
} else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) {
- max_discard_sectors = UINT_MAX >> 9;
- granularity = sbuf.f_bsize;
+ *max_discard_sectors = UINT_MAX >> 9;
+ *granularity = sbuf.f_bsize;
}
-
- lim->max_hw_discard_sectors = max_discard_sectors;
- lim->max_write_zeroes_sectors = max_discard_sectors;
- if (max_discard_sectors)
- lim->discard_granularity = granularity;
- else
- lim->discard_granularity = 0;
}
struct loop_worker {
@@ -992,6 +985,7 @@ static int loop_reconfigure_limits(struc
struct inode *inode = file->f_mapping->host;
struct block_device *backing_bdev = NULL;
struct queue_limits lim;
+ u32 granularity = 0, max_discard_sectors = 0;
if (S_ISBLK(inode->i_mode))
backing_bdev = I_BDEV(inode);
@@ -1001,6 +995,8 @@ static int loop_reconfigure_limits(struc
if (!bsize)
bsize = loop_default_blocksize(lo, backing_bdev);
+ loop_get_discard_config(lo, &granularity, &max_discard_sectors);
+
lim = queue_limits_start_update(lo->lo_queue);
lim.logical_block_size = bsize;
lim.physical_block_size = bsize;
@@ -1010,7 +1006,12 @@ static int loop_reconfigure_limits(struc
lim.features |= BLK_FEAT_WRITE_CACHE;
if (backing_bdev && !bdev_nonrot(backing_bdev))
lim.features |= BLK_FEAT_ROTATIONAL;
- loop_config_discard(lo, &lim);
+ lim.max_hw_discard_sectors = max_discard_sectors;
+ lim.max_write_zeroes_sectors = max_discard_sectors;
+ if (max_discard_sectors)
+ lim.discard_granularity = granularity;
+ else
+ lim.discard_granularity = 0;
return queue_limits_commit_update(lo->lo_queue, &lim);
}
_
--
OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
> syzbot found the following issue on:
>
> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Thanks
From: OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
Subject: [PATCH] loop: Fix ABBA locking race
Date: Mon, 11 Nov 2024 21:53:36 +0900
Current loop calls vfs_statfs() while holding the q->limits_lock. If
FS takes some locking in vfs_statfs callback, this may lead to ABBA
locking bug (at least, FAT fs has this issue actually).
So this patch calls vfs_statfs() outside q->limits_locks instead,
because looks like there is no reason to hold q->limits_locks while
getting discard configs.
Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);
*** DEADLOCK ***
Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
Signed-off-by: OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
---
drivers/block/loop.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 78a7bb2..5f3ce51 100644
--- a/drivers/block/loop.c 2024-09-16 13:45:20.253220178 +0900
+++ b/drivers/block/loop.c 2024-11-11 21:51:00.910135443 +0900
@@ -770,12 +770,11 @@ static void loop_sysfs_exit(struct loop_
&loop_attribute_group);
}
-static void loop_config_discard(struct loop_device *lo,
- struct queue_limits *lim)
+static void loop_get_discard_config(struct loop_device *lo,
+ u32 *granularity, u32 *max_discard_sectors)
{
struct file *file = lo->lo_backing_file;
struct inode *inode = file->f_mapping->host;
- u32 granularity = 0, max_discard_sectors = 0;
struct kstatfs sbuf;
/*
@@ -788,8 +787,9 @@ static void loop_config_discard(struct l
if (S_ISBLK(inode->i_mode)) {
struct request_queue *backingq = bdev_get_queue(I_BDEV(inode));
- max_discard_sectors = backingq->limits.max_write_zeroes_sectors;
- granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
+ *max_discard_sectors =
+ backingq->limits.max_write_zeroes_sectors;
+ *granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
queue_physical_block_size(backingq);
/*
@@ -797,16 +797,9 @@ static void loop_config_discard(struct l
* image a.k.a. discard.
*/
} else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) {
- max_discard_sectors = UINT_MAX >> 9;
- granularity = sbuf.f_bsize;
+ *max_discard_sectors = UINT_MAX >> 9;
+ *granularity = sbuf.f_bsize;
}
-
- lim->max_hw_discard_sectors = max_discard_sectors;
- lim->max_write_zeroes_sectors = max_discard_sectors;
- if (max_discard_sectors)
- lim->discard_granularity = granularity;
- else
- lim->discard_granularity = 0;
}
struct loop_worker {
@@ -992,6 +985,7 @@ static int loop_reconfigure_limits(struc
struct inode *inode = file->f_mapping->host;
struct block_device *backing_bdev = NULL;
struct queue_limits lim;
+ u32 granularity = 0, max_discard_sectors = 0;
if (S_ISBLK(inode->i_mode))
backing_bdev = I_BDEV(inode);
@@ -1001,6 +995,8 @@ static int loop_reconfigure_limits(struc
if (!bsize)
bsize = loop_default_blocksize(lo, backing_bdev);
+ loop_get_discard_config(lo, &granularity, &max_discard_sectors);
+
lim = queue_limits_start_update(lo->lo_queue);
lim.logical_block_size = bsize;
lim.physical_block_size = bsize;
@@ -1010,7 +1006,12 @@ static int loop_reconfigure_limits(struc
lim.features |= BLK_FEAT_WRITE_CACHE;
if (backing_bdev && !bdev_nonrot(backing_bdev))
lim.features |= BLK_FEAT_ROTATIONAL;
- loop_config_discard(lo, &lim);
+ lim.max_hw_discard_sectors = max_discard_sectors;
+ lim.max_write_zeroes_sectors = max_discard_sectors;
+ if (max_discard_sectors)
+ lim.discard_granularity = granularity;
+ else
+ lim.discard_granularity = 0;
return queue_limits_commit_update(lo->lo_queue, &lim);
}
_
--
OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
OGAWA Hirofumi
Nov 19, 2024, 2:27:46 AM11/19/24
to Jens Axboe, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Ming Lei
Nov 19, 2024, 7:11:02 AM11/19/24
to OGAWA Hirofumi, Jens Axboe, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Jens Axboe
Nov 19, 2024, 9:18:18 AM11/19/24
to Ming Lei, OGAWA Hirofumi, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
an updated one please?
--
Jens Axboe
OGAWA Hirofumi
Nov 19, 2024, 9:46:39 AM11/19/24
to Jens Axboe, Ming Lei, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Jens Axboe <ax...@kernel.dk> writes:
> On 11/19/24 5:10 AM, Ming Lei wrote:
>> On Tue, Nov 12, 2024 at 12:44 AM OGAWA Hirofumi
>> <hiro...@mail.parknet.co.jp> wrote:
>>>
>>> Hi,
>>>
>>> syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
>>>> git tree: linux-next
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
>>>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
[...]
> On 11/19/24 5:10 AM, Ming Lei wrote:
>> On Tue, Nov 12, 2024 at 12:44 AM OGAWA Hirofumi
>> <hiro...@mail.parknet.co.jp> wrote:
>>>
>>> Hi,
>>>
>>> syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
>>>> git tree: linux-next
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
>>>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>
>> Looks fine,
>>
>> Reviewed-by: Ming Lei <ming...@redhat.com>
>
> The patch doesn't apply to the for-6.13/block tree, Ogawa can you send
> an updated one please?
Thanks.
From: OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
Subject: [PATCH] loop: Fix ABBA locking race
Date: Tue, 19 Nov 2024 23:42:23 +0900
Current loop calls vfs_statfs() while holding the q->limits_lock. If
FS takes some locking in vfs_statfs callback, this may lead to ABBA
locking bug (at least, FAT fs has this issue actually).
So this patch calls vfs_statfs() outside q->limits_locks instead,
discord configs.
Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);
*** DEADLOCK ***
Reported-by: syzbot+a5d8c6...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
drivers/block/loop.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index fe9bb4f..8f6761c 100644
--- a/drivers/block/loop.c 2024-11-19 23:37:54.760751014 +0900
+++ b/drivers/block/loop.c 2024-11-19 23:38:55.645461107 +0900
@@ -770,12 +770,11 @@ static void loop_sysfs_exit(struct loop_
&loop_attribute_group);
}
-static void loop_config_discard(struct loop_device *lo,
- struct queue_limits *lim)
+static void loop_get_discard_config(struct loop_device *lo,
+ u32 *granularity, u32 *max_discard_sectors)
{
struct file *file = lo->lo_backing_file;
struct inode *inode = file->f_mapping->host;
- u32 granularity = 0, max_discard_sectors = 0;
struct kstatfs sbuf;
/*
@@ -788,24 +787,17 @@ static void loop_config_discard(struct l
&loop_attribute_group);
}
-static void loop_config_discard(struct loop_device *lo,
- struct queue_limits *lim)
+static void loop_get_discard_config(struct loop_device *lo,
+ u32 *granularity, u32 *max_discard_sectors)
{
struct file *file = lo->lo_backing_file;
struct inode *inode = file->f_mapping->host;
- u32 granularity = 0, max_discard_sectors = 0;
struct kstatfs sbuf;
/*
if (S_ISBLK(inode->i_mode)) {
struct block_device *bdev = I_BDEV(inode);
- max_discard_sectors = bdev_write_zeroes_sectors(bdev);
- granularity = bdev_discard_granularity(bdev);
+ *max_discard_sectors = bdev_write_zeroes_sectors(bdev);
+ *granularity = bdev_discard_granularity(bdev);
/*
* We use punch hole to reclaim the free space used by the
* image a.k.a. discard.
*/
} else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) {
- max_discard_sectors = UINT_MAX >> 9;
- granularity = sbuf.f_bsize;
+ *max_discard_sectors = UINT_MAX >> 9;
+ *granularity = sbuf.f_bsize;
}
-
- lim->max_hw_discard_sectors = max_discard_sectors;
- lim->max_write_zeroes_sectors = max_discard_sectors;
- if (max_discard_sectors)
- lim->discard_granularity = granularity;
- else
- lim->discard_granularity = 0;
}
struct loop_worker {
@@ -991,6 +983,7 @@ static int loop_reconfigure_limits(struc
*/
} else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) {
- max_discard_sectors = UINT_MAX >> 9;
- granularity = sbuf.f_bsize;
+ *max_discard_sectors = UINT_MAX >> 9;
+ *granularity = sbuf.f_bsize;
}
-
- lim->max_hw_discard_sectors = max_discard_sectors;
- lim->max_write_zeroes_sectors = max_discard_sectors;
- if (max_discard_sectors)
- lim->discard_granularity = granularity;
- else
- lim->discard_granularity = 0;
}
struct loop_worker {
struct inode *inode = file->f_mapping->host;
struct block_device *backing_bdev = NULL;
struct queue_limits lim;
+ u32 granularity = 0, max_discard_sectors = 0;
if (S_ISBLK(inode->i_mode))
backing_bdev = I_BDEV(inode);
@@ -1000,6 +993,8 @@ static int loop_reconfigure_limits(struc
struct block_device *backing_bdev = NULL;
struct queue_limits lim;
+ u32 granularity = 0, max_discard_sectors = 0;
if (S_ISBLK(inode->i_mode))
backing_bdev = I_BDEV(inode);
if (!bsize)
bsize = loop_default_blocksize(lo, backing_bdev);
+ loop_get_discard_config(lo, &granularity, &max_discard_sectors);
+
lim = queue_limits_start_update(lo->lo_queue);
lim.logical_block_size = bsize;
lim.physical_block_size = bsize;
@@ -1009,7 +1004,12 @@ static int loop_reconfigure_limits(struc
bsize = loop_default_blocksize(lo, backing_bdev);
+ loop_get_discard_config(lo, &granularity, &max_discard_sectors);
+
lim = queue_limits_start_update(lo->lo_queue);
lim.logical_block_size = bsize;
lim.physical_block_size = bsize;
lim.features |= BLK_FEAT_WRITE_CACHE;
if (backing_bdev && !bdev_nonrot(backing_bdev))
lim.features |= BLK_FEAT_ROTATIONAL;
- loop_config_discard(lo, &lim);
+ lim.max_hw_discard_sectors = max_discard_sectors;
+ lim.max_write_zeroes_sectors = max_discard_sectors;
+ if (max_discard_sectors)
+ lim.discard_granularity = granularity;
+ else
+ lim.discard_granularity = 0;
return queue_limits_commit_update(lo->lo_queue, &lim);
}
if (backing_bdev && !bdev_nonrot(backing_bdev))
lim.features |= BLK_FEAT_ROTATIONAL;
- loop_config_discard(lo, &lim);
+ lim.max_hw_discard_sectors = max_discard_sectors;
+ lim.max_write_zeroes_sectors = max_discard_sectors;
+ if (max_discard_sectors)
+ lim.discard_granularity = granularity;
+ else
+ lim.discard_granularity = 0;
return queue_limits_commit_update(lo->lo_queue, &lim);
}
Jens Axboe
Nov 19, 2024, 9:55:56 AM11/19/24
to OGAWA Hirofumi, Ming Lei, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
On 11/19/24 7:46 AM, OGAWA Hirofumi wrote:
> Jens Axboe <ax...@kernel.dk> writes:
>
>> On 11/19/24 5:10 AM, Ming Lei wrote:
>>> On Tue, Nov 12, 2024 at 12:44?AM OGAWA Hirofumi
> Jens Axboe <ax...@kernel.dk> writes:
>
>> On 11/19/24 5:10 AM, Ming Lei wrote:
>>> <hiro...@mail.parknet.co.jp> wrote:
>>>>
>>>> Hi,
>>>>
>>>> syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
>>>>
>>>>> syzbot found the following issue on:
>>>>>
>>>>> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
>>>>> git tree: linux-next
>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
>>>>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> [...]
>
>>>
>>> Looks fine,
>>>
>>> Reviewed-by: Ming Lei <ming...@redhat.com>
>>
>> The patch doesn't apply to the for-6.13/block tree, Ogawa can you send
>> an updated one please?
>
> Updated the patch for linux-block:for-6.13/block. Please apply.
Applied, thanks.
>>>>
>>>> Hi,
>>>>
>>>> syzbot <syzbot+a5d8c6...@syzkaller.appspotmail.com> writes:
>>>>
>>>>> syzbot found the following issue on:
>>>>>
>>>>> HEAD commit: 929beafbe7ac Add linux-next specific files for 20241108
>>>>> git tree: linux-next
>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=75175323f2078363
>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
>>>>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> [...]
>
>>>
>>> Looks fine,
>>>
>>> Reviewed-by: Ming Lei <ming...@redhat.com>
>>
>> The patch doesn't apply to the for-6.13/block tree, Ogawa can you send
>> an updated one please?
>
> Updated the patch for linux-block:for-6.13/block. Please apply.
FWIW, your outgoing mailer is mangling patches. I fixed it up manually,
but probably something you want to get sorted. Download the raw one from
lore and you can see what I mean.
--
Jens Axboe
OGAWA Hirofumi
Nov 19, 2024, 10:12:24 AM11/19/24
to Jens Axboe, Ming Lei, linux...@vger.kernel.org, syzbot, linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com
Jens Axboe <ax...@kernel.dk> writes:
> FWIW, your outgoing mailer is mangling patches. I fixed it up manually,
> but probably something you want to get sorted. Download the raw one from
> lore and you can see what I mean.
Looks like at Ming Lei's reply, unicode "NARROW NO-BREAK SPACE" was
> FWIW, your outgoing mailer is mangling patches. I fixed it up manually,
> but probably something you want to get sorted. Download the raw one from
> lore and you can see what I mean.
included in ">>>> On Tue, Nov 12, 2024 at 12:44?AM OGAWA Hirofumi" line?
So my mailer may be encoded as utf-8, not raw.
I'll take more care next time if possible. However, this mistake (utf-8
whitespace) may hard to prevent without machinery check somehow.
Thanks.
--
OGAWA Hirofumi <hiro...@mail.parknet.co.jp>
Reply all
Reply to author
Forward
0 new messages